Chapter 18 Configuring Subsystems for LDAP Publishing

If you are using an LDAP-compliant directory, such as Netscape Directory Server, to publish and manage your user and group data, you can configure the Certificate Manager or Registration Manager to communicate with this directory. The Certificate Manager can then publish end-entity as well as CA certificates and the certificate revocation list (CRL) to the directory; the Registration Manager can publish end-entity certificates to the directory. This way, your publishing directory acts as a common distribution point for information about users and other entities on the network, including each entity's current security credentials.

The chapter has the following sections:

• Setting Up the Directory for Publishing
• Configuring a Certificate Manager for LDAP Publishing
• Configuring a Registration Manager for LDAP Publishing
• Manually Updating Certificate Information in the Directory

• Step 1. Verify the Directory Schema
• Step 2. Add an Entry for the CA
• Step 3. Identify an Entry That Has Write Access
• Step 4. Add Entries for End Entities

The directory schema must include all the attributes and object classes explained in "Directory Schema Requirements".

For the Certificate Manager to publish its CA certificate, the directory must include an entry for the CA. To add this entry in Netscape Directory Server 3.x, use its HTML forms-based interface (the HTTP gateway). In Netscape Directory Server 4.x, you can use the Directory Server window (you can launch this from within Netscape Console). For information on using these interfaces to add an entry for the CA, see the appropriate documentation.

• If the CA's distinguished name begins with the CN component, create a new Person entry for the CA. (If you select a different type of entry, the interface may not allow you to specify a value for the CN component.)
• If the CA's distinguished name begins with the OU component, create a new Organizational Unit entry for the CA.

Step 3. Identify an Entry That Has Write Access

As part of the process of configuring Certificate Management System to work with Directory Server, you need to specify a distinguished name that has write access to the directory. In other words, to publish certificates and the CRLs to the directory, the Certificate Manager or Registration Manager needs to use a user entry (in the directory) that has write access to the directory.

• Give write access to the Certificate Manager's distinguished name.

The Certificate Manager, during its installation, automatically creates a user entry for itself in the directory (for publishing its CA certificate); the entry can be identified by the Certificate Manager's DN:

cn=<certificate_authority_name>, o=<org_name>, c=<country>

For instructions on giving write access to the Certificate Manager's entry, see your LDAP directory documentation.

• Use the DN of an existing entry that has write access.

You can use the entry of the Directory Manager or choose an alternative. In either case, you must identify this user entry to the Certificate Manager and Registration Manager by entering the DN of the user entry as the Bind as parameter value when you configure the subsystems for LDAP publishing. See "Identifying a Certificate Manager's Publishing Directory".

• When the Certificate Manager starts up, it publishes its CA certificate to the configured directory.
• When the Certificate Manager or Registration Manager issues a new certificate, it publishes the certificate to the configured directory.
• When the Certificate Manager revokes a certificate, it removes that certificate from the configured directory.
• When a certificate expires, the Certificate Manager or Registration Manager can remove that certificate from the configured directory. The server uses the Job Scheduler component to accomplish this task; see "Directory Update and Notification".
• When the certificate revocation list is created or updated (either through the CMS window or through a certificate revocation in the agent or end-entity interface), the Certificate Manager publishes that list to the configured directory.

You need to add an entry for each end entity for whom you want a certificate published. If the end entity does not have an entry in the directory, the Certificate Manager or Registration Manager will not be able to publish the end entity's certificate.

• Identifying a Certificate Manager's Publishing Directory
• Configuring Mapper and Publisher Classes for the CA Certificate
• Configuring Mapper and Publisher Classes for End-Entity Certificates

Identifying a Certificate Manager's Publishing Directory

To identify the Directory Server instance that a Certificate Manager should use for publishing the CA certificate, end-entity certificates, and CRLs:

1. Access the CMS window (see "Accessing the CMS Window").
2. Click the Configuration tab.
3. In the navigation tree, click Certificate Manager, then click LDAP Publishing.

The right pane shows the publishing details necessary for the subsystem to publish to an LDAP-compliant directory.



4. To enable LDAP publishing, check the Enable LDAP Publishing option.
5. In the Destination section, identify a Directory Server instance.

Host name. Type the full host name of the Directory Server instance. The Certificate Manager uses this name to locate the directory. The format for the host name must be as follows:

<machine_name>.<your_domain>.<domain>

Port number. Type the TCP/IP port number at which this Directory Server is listening to publishing requests from the Certificate Manager. The port you specify should be unique on the Directory Server host system; make sure no other application is attempting to use the same port.

Authentication. Select the authentication type. The choices are "Basic authentication" and "SSL client authentication." If you select "Basic authentication," you must specify the Bind as parameter. If you select "SSL client authentication," you must check the "Use SSL communication" box and identify the certificate that the Certificate Manager must use for SSL client authentication to the directory.

Use SSL communication. Check this box if the port number you typed is an SSL port; uncheck the box if the port is non-SSL. The port type you specify determines whether the Certificate Manager needs to do SSL client authentication prior to publishing certificates and CRLs to the directory. Also, before checking this box, make sure that the specified Directory Server is configured for SSL-enabled communication.

Client certificate. Select the certificate you want the Certificate Manager to use for SSL client authentication to the publishing directory. By default, the Certificate Manager uses its SSL server certificate for this purpose (see "SSL Server Key Pair and Certificate").

Directory manager DN. Type the distinguished name (DN) of an entry in your LDAP directory that has write permission to the CA and end-entity entries in the directory. You specified this when setting up the directory for publishing; see "Step 3. Identify an Entry That Has Write Access". The Certificate Manager uses this DN to access the directory tree and to publish to the directory. The access control set up for this DN determines whether the Certificate Manager can perform publishing. Typically, you would want to enter the directory manager's DN because it has read-write permission to the entire directory tree (the root DN). For more information on root DN, see "Root Distinguished Name".

Password. Type the password for this DN. If you change the password, the server updates the single sign-on password cache with the new password; for details, see "Required Start-up Information".

Confirm password. Retype the password exactly as you typed it in the previous field.

Version. Select the LDAP protocol version. The choices are version 2 and version 3. If the directory you want the Certificate Manager to publish to is based on Netscape Directory Server 1.x, select version 2. For Directory Server versions 3.x and later, select LDAP version 3.

6. To save your changes, click Save.

The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

You can configure the Certificate Manager to publish its CA certificate to the directory. If so configured, the Certificate Manager publishes the certificate to the directory specified in the General tab; see "Identifying a Certificate Manager's Publishing Directory".

1. Access the CMS window (see "Accessing the CMS Window").
2. Click the Configuration tab.
3. In the navigation tree, click Certificate Manager, then click LDAP Publishing.

The right pane shows the publishing details necessary for the Certificate Manager to publish to an LDAP-compliant directory.

4. Click the CA Certificate tab.

   

5. In the CA Certificate tab, click Configuration.

The Configure Mapper Parameters window appears.



6. From the Mapper drop-down list, select the mapper class you want the Certificate Manager to use for locating the CA entry in the publishing directory.

By default, the list box shows the default mapper class, called LdapCertCompsMap, provided by the Certificate Manager. If you have registered any custom mapper classes, they too are available for selection.

7. Enter the appropriate values for the configuration parameters that define the mapper class you chose.

For detailed information about the default mapper class, see "Built-in Mapper Classes".

8. Click OK.

You are returned to the CA Certificate tab.

9. To save your changes, click Save.

The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

You can configure a Certificate Manager to publish end-entity certificates to an LDAP-compliant directory. If so configured, the subsystem publishes end-entity certificates to the directory specified in the General tab; see "Identifying a Certificate Manager's Publishing Directory".

1. Access the CMS window (see "Accessing the CMS Window").
2. Click the Configuration tab.
3. In the navigation tree, click Certificate Manager, then click LDAP Publishing.

The right pane shows the publishing details necessary for the subsystem to publish to an LDAP-compliant directory.

4. Click the User Certificate tab.

   

5. In the User Certificate tab, click Configuration.

The Configure Mapper Parameters window appears.



6. From the Mapper drop-down list, select the mapper class you want the Certificate Manager to use for locating end-entity entries in the publishing directory.

By default, the list box shows the default mapper class, called LdapCertCompsMap, provided by the Certificate Manager. If you have registered any custom mapper classes, they too are available for selection.

7. Enter the appropriate values for the configuration parameters that define the mapper class you chose.

For detailed information about the default mapper class, see "Built-in Mapper Classes".

8. Click OK.

You are returned to the User Certificate tab.

9. To save your changes, click Save.

The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

• Identifying a Registration Manager's Publishing Directory
• Configuring Mapper and Publisher Classes for End-Entity Certificates

Identifying a Registration Manager's Publishing Directory

To identify the Directory Server instance that a Registration Manager should use for publishing end-entity certificates:

1. Access the CMS window (see "Accessing the CMS Window").
2. Click the Configuration tab.
3. In the navigation tree, click Registration Manager, then click LDAP Publishing.

The right pane shows the publishing details necessary for the subsystem to publish to an LDAP-compliant directory.



4. To enable LDAP publishing, check the Enable LDAP Publishing option.
5. In the Destination section, identify a Directory Server instance:

Host name. Type the full host name of the Directory Server instance. The Registration Manager uses this name to locate the directory. The format for the host name must be as follows:

<machine_name>.<your_domain>.<domain>

Port number. Type the TCP/IP port number at which this Directory Server is listening to publishing requests from the Registration Manager. The port you specify should be unique on the Directory Server host system; make sure that no other application is attempting to use the same port.

Authentication. Select the authentication type. The choices are "Basic authentication" and "SSL client authentication." If you select "Basic authentication," you must specify the Bind as parameter. If you select "SSL client authentication," you must check the "Use SSL communication" box and identify the certificate that the Registration Manager must use for SSL client authentication to the directory.

Use SSL communication. Check this box if the port number you typed is an SSL port; uncheck the box if the port is non-SSL. The port type you specify determines whether the Registration Manager needs to do SSL client authentication prior to publishing certificates to the directory. Also, before checking this box, make sure that the specified Directory Server is configured for SSL-enabled communication.

Client certificate. Select the certificate you want the Registration Manager to use for SSL client authentication to the publishing directory. By default, the Registration Manager uses its SSL server certificate for this purpose (see "SSL Server Key Pair and Certificate").

Directory manager DN. Type the distinguished name (DN) of an entry in your LDAP directory that has write permission to the end-entity entries in the directory. You specified this when setting up the directory for publishing; see "Step 3. Identify an Entry That Has Write Access". The Registration Manager uses this DN to access the directory tree and publish to the directory. The access control set up for this DN determines whether the Registration Manager can perform publishing. Typically, you would want to enter the directory manager's DN because it has read-write permission to the entire directory tree (the root DN). For more information on root DN, see "Root Distinguished Name".

Password. Type the password for this DN. If you change the password, the server updates the single sign-on password cache with the new password; for details, see "Required Start-up Information".

Confirm password. Retype the password exactly as you typed it in the previous field.

Version. Select the LDAP protocol version. The choices are version 2 and version 3. If the directory you want the Registration Manager to publish to is based on Netscape Directory Server 1.x, select version 2. For Directory Server versions 3.x and later, select LDAP version 3.

6. To save your changes, click Save.

The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

You can configure the Registration Manager to use specific object mapping and publishing rules (classes) to locate end-entity entries in the publishing directory to publish or update certificate information.

1. Access the CMS window (see "Accessing the CMS Window").
2. Click the Configuration tab.
3. In the navigation tree, click Registration Manager, then click LDAP Publishing.

The right pane shows the publishing details necessary for the subsystem to publish to an LDAP-compliant directory.

4. Click the User Certificate tab.

   

5. In the User Certificate tab, click Configuration.

The Configure Mapper Parameters window appears.



6. From the Mapper drop-down list, select the mapper class you want the Registration Manager to use for locating end-entity entries in the publishing directory.

By default, the list box shows the default mapper class, called LdapCertCompsMap, provided by the Registration Manager. If you have registered any custom mapper classes, they too are available for selection.

7. Enter the appropriate values for the configuration parameters that define the mapper class you chose.

For detailed information about the default mapper class, see "Built-in Mapper Classes".

8. Click OK.

You are returned to the User Certificate tab.

9. To save your changes, click Save.

The CMS configuration is modified. If the changes you made require you to restart the server, you will be prompted accordingly. In that case, restart the server.

• Update the directory with certificates.
• Remove expired certificates from the directory. Note that you can automate removal of expired certificates from the publishing directory by scheduling a CMS job. For details, see "Directory Update and Notification".
• Remove revoked certificates from the directory.

For complete details on agent operations, see Netscape Certificate Management System Agent's Guide.

1. Go to the Certificate Manager Agent Services page.

You must submit the proper client certificate to get access to this page.

2. Click the Update Directory Server link.

The Update Directory Server page appears.

3. Select the appropriate options.
4. When you are done specifying the changes that you want updated, click Update Directory.

The subsystem starts updating the directory with the certificate information in its internal database. In some circumstances--for example, if the changes are substantial--updating the directory can take considerable time. During this period, any changes made through the subsystem (for example, any new certificates issued or any certificates revoked) may not be included in the update. If you have issued or revoked any certificates during that time, you need to update the directory again to reflect those changes.

When the directory update is complete, the subsystem displays a status report. If for some reason the process gets interrupted, the subsystem logs an appropriate error message. Be sure to check logs if that happens; for details, see "Monitoring Logs".