Netscape Certificate Management System Administrator's Guide: Starting and Stopping Instances

Complete Contents
About This Guide
PART 1: Netscape Certificate Management System
Chapter 1: Introduction to Certificate Management System
Chapter 2: Administration Tasks and Tool
Chapter 3: Configuration
PART 2: Managing Certificate Management System
Chapter 4: Installing and Uninstalling Instances
Chapter 5: Starting and Stopping Instances
PART 3: System-Level Configuration
Chapter 6: Configuring Ports, Database, and SMTP Settings
Chapter 7: Managing Privileged Users and Groups
Chapter 8: Keys and Certificates
PART 4: Authentication
Chapter 9: Introduction to Authentication
Chapter 10: Using the PIN Generator Tool
Chapter 11: Configuring Authentication for End Entities
Chapter 12: Developing Authentication Plug-ins
PART 5: Job Scheduling and Notification
Chapter 13: Introduction to Job Scheduling and Notifications
Chapter 14: Configuring Jobs
PART 6: Policies
Chapter 15: Introduction to Policies
Chapter 16: Configuring Policies
PART 7: LDAP Publishing
Chapter 17: Introduction to LDAP Publishing
Chapter 18: Configuring Subsystems for LDAP Publishing
Chapter 19: Publishing CRLs
PART 8: Agent and End-Entity Interfaces
Chapter 20: Introduction to End-Entity and Agent Interfaces
Chapter 21: Customizing End-Entity and Agent Interfaces
PART 9: Logs
Chapter 22: Introduction to Logs
Chapter 23: Managing Logs
PART 10: Issuance and Management of End-Entity Certificates
Chapter 24: Issuing and Managing End-Entity Certificates
Chapter 25: Recovering Encrypted Data
PART 11: Appendixes
Appendix A: Distinguished Names
Appendix B: Backing Up and Restoring Data
Appendix C: Command-Line Utilities
Appendix D: Certificate Database Tool
Appendix E: Key Database Tool
Appendix F: Netscape Signing Tool
Appendix G: SSL Strength Tool
Appendix H: SSL Debugging Tool

Chapter 5 Starting and Stopping Instances

This chapter describes how to start, stop, and restart Netscape Certificate Management System (CMS) and how to check its current status. The chapter also explains the CMS watchdog process, a native bootstrapping program that enables Certificate Management System to start up with a single password instead of multiple ones.

The chapter has the following sections:

Starting Certificate Management System

Stopping Certificate Management System

Restarting Certificate Management System

Checking System Status

Attending to an Unresponsive Server

CMS Watchdog Process

Note You can use the CMS window only when the appropriate Administration Server is running. Be sure to start Administration Server at the port you specified during CMS installation. To minimize security risks, shut down Administration Server when you have finished using Netscape Console. For instructions on starting and shutting down Administration Server, see "Netscape Administration Server".

Starting Certificate Management System

Once Certificate Management System is installed, it runs constantly, listening for and accepting requests. You can start Certificate Management System in several ways:

From Netscape Console (locally and remotely)

From the command line (locally only)

On a Windows NT system, from the Windows NT Services panel

Required Start-up Information

When you start Certificate Management System, you are prompted to enter the single sign-on password you specified during installation. This password enables the CMS watchdog (see "CMS Watchdog Process") to retrieve all the passwords required by the server to start. These include the following:

Passwords for the internal or external (if any are currently installed) tokens; these tokens contain certificates and corresponding public and private key pairs for the server.

The bind password used by Certificate Management System to access and update the internal database.

The bind password used by Certificate Management System to access and remove PINs from the authentication directory, if you've configured Certificate Management System to remove PINs from the authentication directory (see the description for the ldap.ldapauthbindDN and ldap.ldapauth.bindPWPrompt parameters on Table 9.2).

The bind password used by Certificate Management System to access and update the LDAP directory; this is required only if you have configured Certificate Management System for publishing certificates and CRLs to an LDAP-compliant directory.

You first specified these passwords when you installed Certificate Management System. Keep in mind that the passwords you provide for the tokens unlock a combination of the following private keys:

If you have installed a Certificate Manager in the currently selected CMS instance, the token password unlocks the private keys for the Certificate Manager's CA signing and SSL server certificates.

If you have installed a Registration Manager in the currently selected CMS instance, the token password unlocks the private keys for the Registration Manager's signing and SSL server certificates.

If you have installed a Data Recovery Manager in the currently selected CMS instance, the token password unlocks the private keys for the Data Recovery Manager's storage keys and transport and SSL server certificates.

For more information about the CMS keys and certificates, see "Keys and Certificates".

Note During CMS installation the watchdog stores all the passwords, required by the server for starting up, in a password cache. The cache is maintained in a file encrypted using the single sign-on password you specify during installation. When you change any of the required passwords or provide new passwords, you must start the server from the command-line (see "Starting from the Command Line") so that the watchdog can prompt you for the new passwords in order to update the cache.

Starting from Netscape Console

You can use Netscape Console to start an instance of Certificate Management System running on a local or remote host.

To start Certificate Management System from Netscape Console:

Access Netscape Console (see "Accessing Netscape Console").

In the Console tab, select the Server Group that contains the CMS instance you want to start.

In the navigation tree, locate the CMS instance you want to start.

Select the instance, right-click, and choose the Start Server option from the pop-up menu.

When you start Certificate Management System, you are prompted to supply the single sign-on password for the server.

Enter the single sign-on password you specified during installation and click OK.

Certificate Management System won't start until you provide this password. For more information, see "Required Start-up Information".

Starting from the Command Line

To start Certificate Management System from the command line:

Open a terminal window to your server.

In a Unix system, log in as root if the server runs on ports less than 1024; otherwise, log in either as root or with the server's user account.

At the command-line prompt, enter the following line:

<server_root>/cert-<instance_id>/start-cert[.bat]

.bat specifies the file extension; this is required only when running the utility on a Windows NT system.

<server_root> is the directory where the CMS binaries are kept. You first specified this directory during installation.

<instance_id> is the ID for this instance of Certificate Management System. You first specified this when you installed this server.

When prompted, supply the single sign-on password.

Certificate Management System won't start until you provide this password. For more information, see "Required Start-up Information".

Note If Certificate Management System is already running, the start-up command fails. Stop the server first using the stop-cert command, then use the start- cert command.

Starting from the Windows NT Services Panel

If you have installed Certificate Management System on a Windows NT system, you can start the server (as a service) from the Windows NT Services panel (see Figure 5.1). The CMS service has the following name:

Netscape Certificate Management System (cert-<instance_id>)

<instance_id> is the ID for this instance of Certificate Management System. You first specified this when you installed this server.

Figure 5.1 CMS service in the Windows NT Services panel

To start Certificate Management System from the Windows NT Services panel:

Click the Start button on your desktop.

Select Control Panel from Settings.

In the Control Panel window that appears, click Services.

Select the CMS instance and click Start.

You are prompted to supply the single sign-on password for the server.

Enter the single sign-on password you specified during installation and click OK.

Certificate Management System won't start until you provide this password. For more information, see "Required Start-up Information".

Stopping Certificate Management System

You can stop Certificate Management System in several ways:

From Netscape Console (locally and remotely)

From the command line (locally only)

On a Windows NT system, from the Windows NT Services panel

Stopping Certificate Management System shuts down all the subsystems completely, interrupting service until the server is started again. If your machine crashes or is taken offline, the server stops, and any requests it was servicing are lost. You need to start the server again to restore service.

Stopping from Netscape Console

You can use Netscape Console to stop an instance of Certificate Management System running on a local or remote host.

To stop Certificate Management System from Netscape Console:

Access Netscape Console (see "Accessing Netscape Console").

In the Console tab, select the Server Group that contains the CMS instance you want to stop.

In the navigation tree, locate the CMS instance you want to stop.

Select the instance, right-click, and choose the Stop option from the pop-up menu.

The server is stopped.

Stopping from the Command Line

You can stop a CMS instance running on a local host by entering the appropriate command at the command prompt.

To stop a Certificate Management System from the command line:

Open a terminal window to your server.

In a Unix system, log in either as root or using the server's user account (if that is how you started the server).

At the command-line prompt, enter the following line:

<server_root>/cert-<instance_id>/stop-cert[.bat]

.bat specifies the file extension; this is required only when running the utility on a Windows NT system.

<server_root> is the directory where the CMS binaries are kept. You first specified this directory during installation.

<instance_id> is the ID for this instance of Certificate Management System. You first specified this when you installed this server.

The server is stopped.

Stopping from the Windows NT Services Panel

You can stop a CMS instance running on a local host by stopping the corresponding service; it is identified by the following in the Windows NT Services panel (see Figure 5.1 on page 110):

Netscape Certificate Management System (cert-<instance_id>)

<instance_id> is the ID for this instance of Certificate Management System. You first specified this when you installed this server.

To stop Certificate Management System from the Windows NT Services panel:

Click the Start button on your desktop.

Select Control Panel from Settings.

In the Control Panel window that appears, click Services.

Select the CMS instance and click Stop.

When prompted, click Yes.

The server is stopped.

Restarting Certificate Management System

Whenever you change the CMS configuration, you must save your changes (by clicking the Save button) for the changes to take effect. Some configuration changes also require that you restart the server after you save the changes. If restarting is required, the server prompts you accordingly.

You can restart the server in two ways:

From the CMS window (locally and remotely)

From the command line (locally only)

Restarting from the CMS Window

You can use the CMS window to restart an instance of Certificate Management System on a local or remote host.

To restart Certificate Management System from the CMS window:

Access the CMS window (see "Accessing the CMS Window").

In the Tasks tab, click Restart the Server.

When you restart Certificate Management System, you are prompted to supply the single sign-on password for the server.

Enter the single sign-on password you specified during installation and click OK.

Certificate Management System won't restart until you provide this password. For more information, see "Required Start-up Information".

Restarting from the Command Line

To restart Certificate Management System from the command line:

Open a terminal window to your server.

In a Unix system, log in either as root or using the server's user account (if that is how you started the server).

At the command-line prompt, enter the following line:

<server_root>/cert-<instance_id>/restart-cert[.bat]

.bat specifies the file extension; this is required only when running the utility on a Windows NT system.

<server_root> is the directory where the CMS binaries are kept. You first specified this directory during installation.

<instance_id> is the ID for this instance of Certificate Management System. You first specified this when you installed this server.

When prompted, supply the single sign-on password.

Certificate Management System won't restart until you provide this password. For more information, see "Required Start-up Information".

Checking System Status

You can use Netscape Console to find out whether a particular instance of Certificate Management System is running.

Access Netscape Console (see "Accessing Netscape Console").

In the Console tab, select the SIE that corresponds to the CMS instance you want to check.

In the right pane, check the Server Status field. If the selected instance of Certificate Management System is running, the status will be Started. Otherwise it will be Stopped.

Attending to an Unresponsive Server

If an error causes Certificate Management System to become unresponsive, and all attempts to stop it from the UI fail, it may be necessary to kill the server processes manually. The processes that should be killed are the Java virtual machines, called jssjava. These processes will be listed in the Windows NT Task Manager. However, because they are system processes, you cannot terminate them from the Task Manager. Instead, you should use the killproc command-line tool. This tool is located with the rest of the command-line tools provided with Certificate Management System:

<server_root>/bin/cert/tools/...

<server_root> is the directory where the CMS binaries are kept. You first specified this directory during installation.

In order to kill system processes, the user that runs killproc must have the Debug Programs permission. By default, this permission is given only to the Administrators group, although this can be changed in the Windows NT User Manager. Assuming it is not changed, killproc must be run by a member of the Administrators group (such as the user Administrator).

The killproc command takes one argument, the process ID of the process to be killed:

killproc <process_id>

You can obtain the process ID from the Windows NT Task Manager. For example, to kill the jssjava process whose process ID is 255, you should type:

c:\> killproc 255

Killed process 255.

c:\>

Note The killproc tool should only be used as a last resort. Because it forces the process to terminate abruptly, the process is not able to cleanup or to save its internal state before exiting.

CMS Watchdog Process

The CMS watchdog is a native bootstrapping program that provides specific native functions. It works with Certificate Management System to enable it to start up using a single password--instead of multiple passwords--called the single sign-on password. In addition, it manages the start-up, stop, and restart states of Certificate Management System.

The watchdog process implements the following operations:

Starts Certificate Management System (and the Virtual Java Machine, or Java VM).

The watchdog allows you to start Certificate Management System by using a single password instead of the multiple passwords that would otherwise be required. For details on these passwords, see "Required Start-up Information".

During CMS installation the watchdog stores all the passwords required by the server for starting up in a password cache. The cache is maintained in a file encrypted using the single sign-on password you specify during installation. When you change any of the required passwords or provide new passwords, you must start the server from the command-line (see "Starting from the Command Line") so that the watchdog can prompt you for the new passwords in order to update the cache.

Stops Certificate Management System.

Restarts Certificate Management System (after configuration changes).

Detects Certificate Management System crashes and restarts the server.

The watchdog monitors Certificate Management System and the Java VM, restarting the server in the case of a failure.

In the Unix version of Certificate Management System, the watchdog records the server process ID (pid) and sets the user ID (uid) of the process.

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.