Complete Contents
About This Guide
PART 1: Overview and Demo Installation
Chapter 1 Introduction to Certificate Management System 4.0
Chapter 2 Default Demo Installation
PART 2: Planning and Installation
Chapter 3 Planning Your Deployment
Chapter 4 Installation Worksheet
Chapter 5 Installation and Configuration
Appendix A Migrating from Certificate Server 1.x
Appendix B Certificate Extensions
Appendix C Certificate Download Specification
Appendix D Using SSL with Enterprise Server 3.x
Appendix E Export Control Information
Glossary
Previous Next Contents Index Bookshelf


Chapter 2 Default Demo Installation

This chapter describes how to set up a simple installation that demonstrates the basic capabilities of a Certificate Manager with an integrated Registration Manager. It is intended for administrators who are already familiar with PKI concepts. An experienced administrator should be able to install and set up the default demo in less than an hour, then use it to try out basic Netscape Certificate Management System procedures.

This chapter describes how to install a Certificate Manager for demonstration purposes only. The steps described require that you accept most of the default values suggested at each stage of installation and configuration. Before you attempt to install more sophisticated pilots or a full-scale deployment, you should read Chapter 3, "Planning Your Deployment," and the chapters that follow.

This chapter has the following sections:
System Requirements
This section summarizes the basic software and hardware requirements for any machine on which you intend to install Certificate Management System instances and related software:

 Software and Hardware Requirements

Operating systems supported:

Other required software:

 Platform Requirements

In addition to the requirements listed below, make sure you have ample swap space or virtual memory allocated for the system on which you intend to install Certificate Management System.

Solaris Platform Requirements

RAM: 128 MB (recommended)

Patch level 103640-12 or greater

Hard disk storage space of approximately 250 MB total, broken down as follows:

Windows NT Platform Requirements

NT Service Pack 4

128 MB of RAM (recommended)

Pentium 166 or faster

Software must be installed on NTFS (FAT file system can't be used due to Directory Server 4.1 restrictions)

 Hard disk storage space of approximately 250 MB total, broken down as follows:

 Other Requirements


Overview of Default Demo
The default demo installation described in this chapter is intended to provide a quick, hands-on experience of the basic Certificate Management System interfaces. It is intended for demonstration purposes only and relies on a number of default settings that may not be appropriate for a mission-critical installation. Before you attempt to install more sophisticated pilots or a full-scale deployment, read Chapter 3, "Planning Your Deployment," and the chapters that follow.

The default demo installation includes the following Netscape software:

 You use the main window of Netscape Console to perform basic tasks such as starting and stopping a server. To manage any server controlled by Netscape Console (in this case, just Directory Server and the Certificate Manager), first locate it on the left side of the main Netscape Console window, then double-click the icon to open a separate administrative window for that server.

Netscape Console uses the configuration directory for information on the locations and contents of server groups on the network. It also interacts with the Administration Server for each server group to perform some tasks, such as managing SSL encryption settings. However, to manage settings displayed in the Netscape Console window for a particular Certificate Management System instance, Netscape Console acts directly on a configuration file stored with that instance. (For more information about the configuration file, see Netscape Certificate Management System Administrator's Guide.)

As you proceed with the default demo installation and configuration, you will be asked to assign several port numbers, names, and passwords. Figure 2.1 shows the four main software elements of the demo and the port numbers and protocols they use for different purposes.

Figure 2.1 Software installed and port numbers assigned for the default demo

You will also be asked to provide additional information, such as the name of each server instance to be installed, the names and passwords of various types of administrators, and information related to the CA signing certificate and SSL server certificate that the Certificate Manager must have available before it can begin operation.

To keep things simple for the default demo, most of the information requested during installation is set either to a default or to some arbitrary, convenient value. Before you attempt to install more sophisticated pilots or a full-scale deployment, you should read Chapter 3, "Planning Your Deployment," and the chapters that follow to determine the precise names and settings that are appropriate for your situation.

Another difference between the default demo and more sophisticated installations is that the Directory Server instance, in addition to providing both the configuration directory and the user directory, is also used to publish and test certificates you may issue with the Certificate Manager instance. In a real-world deployment, the directory used for configuration and users is unlikely to be used for publishing as well.

Demo Passwords

The demo that you install is a real CA that can issue certificates. Even if you plan to remove it after testing, you should maintain the security of the demo system. For this reason, the installation procedure does not give specific passwords for each administrative user. However, to avoid confusion, the passwords that you will need are identified here and are later referred to by this identification. If you make a list of the passwords you decide on, be sure to keep the list secure.

You will need to provide the following passwords during the installation process:
<admin password>
Administrator for both Administration Server and its configuration directory. Use this password to start Netscape Console and the Installation Wizard.
<dir mgr password>
Manager for the configuration directory. After specifying it during setup, you will not need to use it again in this process. (This password must be at least eight characters.)
<intdb password>
Administrator for the CMS internal database (an instance of Directory Server). This password is kept and protected in a special cache that you access with the <single-signon password>.
<CMS password>
CMS administrator. Use this password to access Netscape Console's CMS window.
<token password>
Password for the CMS key database. This password is kept and protected in a special cache that you access with the <single-signon password>.
<single-signon password>
This password protects the <intdb password> and <token password>. Use this password to start Certificate Management System.


Default Demo Installation Procedure
The installation script installs and starts an Administration Server and a Directory Server; the process is slightly different for Windows NT and Unix systems. The Installation Wizard, which is the same on both systems, installs Certificate Management System itself and creates the system's certificates. When you have finished installing the files, you start Certificate Management System and enroll for the initial administrator-agent certificate, which you then use to verify that the system is properly installed and functions correctly.

 The steps of this installation procedure are described in the following sections:

 Step 1. Run the Installation Script - Unix

These instructions assume that you have the initial distribution of Certificate Management System available, either on a CD or on your hard disk.

If you are using a Windows NT system, see "Step 1. Run the Installation Script - Windows NT."

To run the installation script, change to the distribution directory (where you have downloaded the distribution files) and execute the file setup.

In the instructions that follow, the question that appears at the bottom of each setup screen is in boldface, followed by the action you should take.
  1. Would you like to continue with setup? [Yes]: Press Enter.
    2.

  2. Do you agree to the license terms? [No]: Type yes and press Enter.

  3. Select the items you would like to install [1]: Press Enter.

  4. Choose an installation type [2]: Press Enter for a Typical installation.

  5. Server root [/usr/netscape/server4]: Press Enter to accept the default server root directory.

  6. Specify the components you wish to install [All]: Press Enter to accept the default.

  7. Specify the components you wish to install [1,2,3]: Press Enter to accept the default server product components.

  8. Specify the components you wish to install [1,2]: Press Enter to accept the default .Directory Suite components.

  9. Specify the components you wish to install [1,2]: Press Enter to accept the default Administration Services components.

  10. Specify the components you wish to install [1, 2]: Press Enter to accept the default CMS components.

  11. Computer name [myhost.mydomain.com]: Press Enter to install on the local machine.

  12. System User [nobody]: Enter the user that the configuration/user Directory Server process will run as. Where your system supports it, accept the default user nobody, creating that user as necessary.

  13. System Group [nobody]: Enter the group that the configuration/user Directory Server process will run as. Where your system supports it, accept the default group, nobody, creating that group as necessary.

  14. Do you want to register this software with an existing Netscape configuration directory server? [No]: Press Enter to install a new configuration directory.

  15. Do you want to use another directory to store your data? [No]: Press Enter to use the new configuration directory as your user/group directory.

  16. Directory server network port [random #]: Type 17000 and press Enter.

  17. Directory server identifier [myhost]: Type configdir as the unique identifier for the configuration directory, and press Enter.

  18. Netscape configuration directory server administrator ID [admin]: Press Enter to accept the default, then enter the <admin password>.

  19. Suffix [o=mydomain.com]: Press Enter to accept the default.

  20. Directory Manager DN [cn=Directory Manager]: Press Enter to accept the default, then enter the <dir mgr password>.

  21. Administration Domain [mydomain.com]: Press Enter to accept the default.

  22. Administration port [random #]: Type 17001 and press Enter.

  23. Run Administration Server as [currentlogin]: Press Enter.

  24. Netscape Certificate Management System Server identifier [localhost]: Type cmsdemo and press Enter. The script copies the files and updates the system, which may take a few minutes. When it is finished, press Enter to continue.

The first phase of the installation is now complete. The installation script has installed Netscape Console, installed and started an Administration Server and its configuration directory, and copied the files for Certificate Management System. You are now ready to configure the Certificate Management System instance by running the Installation Wizard.

 Step 1. Run the Installation Script - Windows NT

These instructions assume that you have the initial distribution of Certificate Management System available, either on a CD or on your hard disk.

If you are using a Unix system, see "Step 1. Run the Installation Script - Unix."

  1. To run the installation script, open the distribution directory for the system software you are using and double-click the file setup.exe.

    2. In the instructions that follow, the name that appears in the title bar of each setup screen is in boldface, followed by a description of the action you should take.

  2. Welcome. Click Next.
    3.

  3. Software License Agreement. Click Yes.

  4. Select Server or Console Installation. Leave the default setting (Netscape Servers) selected and click Next.

  5. Select Installation Type. Leave the default setting (Typical) selected and click Next.

  6. Choose Installation Directory. Leave the default setting (C:\Netscape\Server4) selected and click Next.

  7. Select Products. Leave all four components selected and click Next.

  8. Directory Server 4.1. Leave the default setting ("This instance will be the configuration directory server") selected and click Next.

  9. Directory Server 4.1. Leave the default setting ("Store data in this directory server") selected and click Next.

  10. Directory Server 4.1 Server Settings. Type the following values, then click Next:

    11. Server identifier: configdir
    Server port: 17000
    Suffix: Accept the default, which should be your company's domain name, in the form o=mydomain.com.

  11. Directory Server 4.1 Netscape Configuration Directory Server Administrator. Type the following values, then click Next:
    12.

    Configuration Directory Administrator ID: admin
    Password: <admin password>
    Password (again): <admin password>

  12. Directory Server 4.1 Administration Domain. Accept the default, which should be your company's domain name, in the form mydomain.com.
    13.

  13. Directory Server 4.1 Directory Manager Settings. Type the following values, then click Next:

    14. Directory Manager DN: cn=Directory Manager
    Password: <dir mgr password>
    Password (again): <dir mgr password>

  14. Administration Server Port Selection. Type the value 17001 and click Next.
    15.

  15. Netscape Certificate Management System Server identifier. Type the value cmsdemo and click Next.

  16. Configuration Summary. Click Next.

  17. Setup. At this point, the installation script extracts and installs the binaries for all of the servers in the server root directory and creates and starts instances of the Administration Server and Directory Server. This process may take a few minutes.

  18. Setup Complete. Leave the default setting ("Restart my computer now") and click Finish.

The first phase of the installation is now complete. The installation script has installed Netscape Console, installed and started an Administration Server and its configuration directory, and copied the files for Certificate Management System. You are now ready to complete the installation of Certificate Management System by running the Installation Wizard.

 Step 2. Run the Installation Wizard

To begin running the Installation Wizard, you must first follow these steps:

  1. Start Netscape Console:
    2.

  2. Log in as admin, giving the password <admin password>.
    3.

    The main window of Netscape Console appears.

  3. In the navigation tree at the left, open your computer, then open Server Group.
    4.

  4. Select cert-cmsdemo.

  5. In the Netscape Certificate Management System panel at the right, click Open.

    6. After a few moments, the Installation Wizard appears. You use the wizard to get the initial certificates and set the initial configuration for this instance of Certificate Management System.

In the instructions that follow, the panel title that appears below the title bar for each screen is in boldface, followed by the action you should take.

  1. Introduction. Click Next.
    2.

  2. Internal Database. Type the following values, then click Next:

    3. Instance ID: Accept the default (cmsdemo-db).
    Port number: 17002
    Directory Manager DN: cn=internal directory manager
    Password: <intdb password>
    Password (again): <intdb password>

  3. Administrator. Type the following values, then click Next:
    4.

    Administrator ID: CMSadmin
    Full name: Accept the default value.
    Password: <CMS password>
    Password (again): <CMS password>

  4. Subsystems. Accept the default selection (Certificate Manager only) and click Next.
    5.

  5. Remote Data Recovery Manager. Accept the default selection (No) and click Next.

    6. At this point the system creates the internal database, which can take some time.

  6. Network Configuration. Type the following values, then click Next:
    7.

    SSL administration port: 17003
    SSL agent port: 17004
    SSL end-entity port: 17005
    Enable: Select this checkbox to enable the non-SSL end-entity gateway.
    Non-SSL end-entity port: 17006

  7. Server Migration from Certificate Server 1.x - Step 1. Accept the default selection (No) and click Next.
    8.

  8. CA Signing Certificate. Accept the default selection (Create self-signed CA certificate) and click Next.

  9. Key-Pair Information for Certificate Manager CA Signing Certificate. Type the following values, then click Next:

    10. Token: Accept the default value (Internal).
    Password: <token password>
    Password (again): <token password>
    Key type: Accept the default value (RSA).
    Key length: Accept the default value (512) and leave the custom key- length field blank.

  10. Subject Name for Certificate Manager CA Signing Certificate. Type the following values, then click Next:
    11.

    Common name (CN=): Demo CA
    Organization Unit (OU=): CMS Testing
    Organization (O=): name of your company
    Locality (L=): name of your locality
    State (ST=): name of your state
    Country (C=): two-letter code for your country

  11. Validity Period for Certificate Manager CA Signing Certificate. Modify year and month values of "Expire on" date to allow a validity period of one month from the installation date, then click Next.
    12.

  12. Certificate Extensions for Certificate Manager CA Signing Certificate. Accept the default selections and click Next.

  13. Certificate Manager CA Signing Certificate Creation. Click Next.

  14. SSL Server Certificate. Accept the default selection (Sign SSL certificate with my CA signing certificate) and click Next.

  15. Key-Pair Information for Server SSL Certificate. Accept the default selections, then click Next.

  16. Subject Name for SSL Server Certificate. Type the following values, then click Next.

    17. Common name (CN=): your local host name, in the form mymachine.mydomain.com
    Organization Unit (OU=): CMS Testing
    Organization (O=): name of your company
    Locality (L=): name of your locality
    State (ST=): name of your state
    Country (C=): two-letter code for your country

  17. Validity Period for SSL Server Certificate. Modify year and month values of "Expire on" date to allow a validity period of one month from the installation date, then click Next.
    18.

  18. Certificate Extensions for SSL Server Certificate. Accept the default selections and click Next.

  19. SSL Server Certificate Creation. Click Next.

    20. The generation of the certificate can take some time.

  20. Set Up Single Signon Password. Type the following values, then click Next:
    21.

    Single signon password: <single-signon password>
    Single signon password (again): <single-signon password>

  21. Configuration Status. Click Done.
    22.

    Certificate Management System starts automatically.

The installation and configuration of Certificate Management System is now complete, and the Certificate Manager is running.

The user interface of Certificate Management System is available through the web gateways whose ports you specified during installation. You can access them directly in a web browser by going to those ports using the appropriate protocol.

 Step 3. Get the First User Certificate

After you complete configuration of Certificate Management System with the Installation Wizard, you must enroll for a certificate for the first agent. This is the first user certificate that Certificate Management System issues.

The initial user is both an administrator and an agent. This person can use Netscape Console to create additional agents with the appropriate user privileges and use Agent Services to issue them certificates. Since there is no agent yet to approve the request, a special enrollment form allows you to get this first certificate automatically.

After you submit this initial Administrator/Agent Certificate Enrollment form, it is automatically disabled, so that no one else can acquire a certificate without agent approval or some form of automated authentication. The system automatically adds the initial user to the list of agents.

 To enroll for the first agent certificate, you should be working at the computer you intend to use as the agent, so that the new certificate will be installed in the browser you will be using to access the Agent Services pages. Follow these steps:
  1. Open a web browser window.
    2.

  2. Go to the URL for the SSL agent port (17004). For example:

    3. 	https://myhost.mydomain.com:17004

    The first time you access this port, the system opens the Administrator/ Agent Certificate Enrollment form.

    Because you have accessed an SSL port, Certificate Management System presents its SSL server certificate to your browser for authentication. This is the SSL server certificate that you just created during installation. Because you just created it, it is not on your list of trusted certificates. A series of dialog boxes now appears that lets you add the CMS server certificate to your list of trusted certificates.

  3. Complete the dialog boxes as instructed (the exact procedure depends on the browser you are using).
    4.

  4. In the Administrator/Agent Certificate Enrollment form, enroll for a client SSL certificate as the system's first privileged user by entering the following information:

    5. Authentication Information

    User ID: CMSadmin
     Password: <CMS password>

    Subject Name

    Full name: CMS Administrator
     Login name: CMSadmin
     Email address: your email address
     Organization unit: CMS Testing
     Organization: name of your company

    User's Key Length Information

    Key Length: Select 512 (High Grade)

    Note that the validity period of this initial agent certificate is hard-coded as one year.

  5. Click Submit.
    6.

  6. Follow the instructions your browser presents as it generates a key pair.

  7. If authentication is successful, the new certificate will be imported into your browser, and you will be given an opportunity to make a backup copy.

Now you have a client authentication certificate in the name CMSadmin. This special user, who was created as the initial administrator for Certificate Management System during installation, has been automatically designated as the first agent. This certificate allows you to access the Agent Services pages. As an agent, you can approve enrollment requests and start issuing new certificates. To access the CMS windows in Netscape Console, you use the CMS administrator user ID and the CMS password.

Important After you submit the initial Administrator/Agent Certificate Enrollment form, it is no longer available from the agent port. If something goes wrong and you are unable to obtain the initial agent certificate, you must reset a parameter in the configuration file to make the initial Administrator/Agent Certificate Enrollment form available again. Follow these steps:

  1. In the left frame of Netscape Console, open cert-cmsdemo.
    2.

    The server requests your <CMS password>.

  2. Click the icon labeled Stop the Server.
    3.

  3. Go to the directory <server root>/cert-cmsdemo/config, open the file CMS.cfg in a text editor, and find the following line:

    4. agentGateway.enableAdminEnroll=false

  4. Change false to true, and save the file.

  5. Start the server from the CMS window where you stopped it. (Alternatively, right-click on cert-cmsdemo in the left frame and choose Start Server.) At this point, the server asks you for your <single-signon password>.

  6. The next time you access
    https://myhost.mydomain.com:17004, the Administrative Enrollment form will be available again.


Using the Default Demo
You have now performed a basic installation and can use the installed Certificate Manager to issue certificates. This section provides the following exercises with which to test the installation and practice using the system:
  • Verify the Installation. You will access the various web gateways and use the default versions of the forms to enroll for and issue a certificate.

  • Use an LDAP Directory. You will add a user to the configuration directory you just installed and use directory-based authentication to enroll as that user.

Verify the Installation

To verify that the installation is correct and complete, you will access each of the different gateways for the various user interface pages: the SSL and non-SSL end-user pages, and the Agent Services pages for the Certificate Manager. You will use each set of pages to perform a basic task.

In a real installation, you would probably not give users access to both gateways or to all the enrollment choices and other possible actions in the pages. You access both end-user gateways here simply for testing purposes, not because these particular actions need to be performed from these locations.

  1. In a web browser window, use HTTPS to go to the URL for the SSL agent port that you specified. For example:
    2.  

    	https://myhost.mydomain.com:17004

  2. Because this is an SSL connection, you are prompted to present your client SSL certificate for authentication. Choose the certificate you received on initial enrollment.

    3. The Agent Services entry page appears.

  3. Click Services Summary.
    4.

    The Services Summary page appears, giving you access to all the gateways.

  4. Click End Users Services.

    5. The Enrollment tab for the non-SSL end-entity gateway appears.

  5. Click the Retrieval tab. The form that appears is for the first option, List Certificates.
    6.

  6. In the List Certificates form that appears, type 0x0 into the field labeled "Lowest serial number," then click Find to list the certificates that the Certificate Manager has issued so far.

    7. If you followed the instructions in this chapter exactly, you should see three certificates listed: the CA signing certificate (CN=Demo CA), the Certificate Manager SSL server certificate (CN=<your hostname>), and your initial agent certificate (CN=CMS administrator).

  7. Use the browser's Back button to go back to the Services Summary page. (For example, when using Communicator, press and hold the mouse button while it's over the Back button, then choose Index from the pop-up menu.)
    8.

  8. Click SSL End-Users Services.

    9. The Enrollment tab for the SSL end-entity gateway appears.

  9. Use the Manual User Enrollment form that appears to enroll for a certificate.

    10. For Full Name, type the name User1, so you will recognize this certificate as distinct from your administrator's certificate. When you have finished filling it out, submit the form.

  10. Follow the instructions your browser presents as it generates a key pair. After the key pair has been generated, the Certificate Manager displays a notice that the certificate request has been submitted, including a request ID.
    11.

  11. Use the browser's Back button to go back to the Services Summary page. (For example, when using Communicator, press and hold the mouse button while it's over the Back button, then choose Index from the pop-up menu.)

  12. Click Agent Services, then click Certificate Manager Agent Services.

    13. To access this page, your browser must present your client SSL certificate to authenticate your identity.

  13. If a dialog box appears requesting that you select a certificate, select the certificate name that begins with CMS Administrator.
    14.

    The first form for the Agent Services gateway appears--the List Requests form.

  14. Select the radio button labeled "Show pending requests," then click Find.
    15.

    One request should be returned: the request you just made through the SSL end-user gateway, which is marked as pending.

  15. Click the Details button next to the pending request.
    16.

  16. Scroll down to the last section of the Request Details form, labeled Privileges. Select the checkbox labeled "This certificate is for a Certificate Manager agent," then type a user ID for the new agent. This user ID can be the same (User1) that you specified in the certificate request, or it can be some other ID that you want to use to identify this agent in the CMS window of Netscape Console, such as Agent1.

  17. At the bottom of the form, select "Accept this request" and click Do It.

    18. The certificate is issued immediately. The Request Details form is replaced by a form announcing that the certificate has been generated, along with its serial number.

  18. Click Show Certificate to view the new certificate.
    19.

    At the bottom of the page is a button labeled Import Certificate. Normally, you would mail this page to the requester, or the Certificate Manager would mail the requester an automatic notification containing the certificate and instructions.

  19. Since you made the request yourself from this computer, go ahead and click Import Certificate to import the certificate into your browser.
    20.

You have now designated User1 as an agent. Since you have already issued a certificate in the name of User1, you can now present that certificate to access the Agent Services pages. User1 is an agent, but not an administrator; as User1, you can manage certificate requests, but you cannot access Netscape Console's CMS window to configure the system.

 To verify that the User1 certificate really can access the agent pages, you must first set your browser to use the User1 certificate to identify you to web sites. To do this in Communicator 4.x, for example, follow these steps:
  1. Click the Security button in the Navigation toolbar near the top of the window.

  2. Click Navigator in the left-hand frame.

  3. From the pop-up menu labeled "Certificate to identify you to a web site," select your User1 certificate.

  4. Click OK.

To test your new certificate, first go to any other web page that is not part of Agent Services (such as http://home.netscape.com), then return to the Agent Services pages at the URL for the SSL agent port that you specified. For example:

 
	https://myhost.mydomain.com:17004

You should be able to access the Agent Services pages without any difficulty, as long as you are using the same computer from which you requested and imported the User1 certificate.

Before you continue, you might want to try accessing the new installation from another computer and with a different login. Try enrolling for user certificates from there, using both the SSL and non-SSL end-user gateways. If you wish, you can also enroll for additional agent certificates. You will have to return to the computer from which you requested and imported your CMSAdmin and User1 certificates to access the Agent Services pages and approve the requests.

 Use an LDAP Directory

To test using Certificate Management System with an LDAP directory, you will use Netscape Console's CMS window to enable directory-based authentication using the configuration directory that you installed with the demo. You will add a user (User2) to the directory, then enroll for a certificate as User2, using directory-based enrollment. Certificate Management System should authenticate the user information in the directory and issue the certificate automatically.

Enable Directory-Based Authentication

To enable directory-based authentication for the Certificate Manager:

  1. Start Netscape Console:
    2.

  2. Log in as admin, giving the password <admin password>.
    3.

    The main window of Netscape Console appears.

  3. In the navigation tree at the left, open your computer, then open Server Group.
    4.

  4. Select cert-cmsdemo.

  5. In the Netscape Certificate Management System panel at the right, click Open.

  6. Log in as CMSadmin, giving the password <CMS password>.

  7. Select the Configuration tab, then select Authentication in the navigation tree.

  8. On the Authentication Instance tab of the Authentication page, click Add.

  9. In the Select Authentication Plugin Implementation dialog box, select UidPwdDirAuth and click Next.

  10. In the Authentication Instance Editor dialog box, provide the following information:

    11. Authentication Instance ID: UserDirEnrollment
    dnpattern: cn=$attr.cn,c=US
    ldapAttributes: Leave blank
    ldap.ldapconn.host: your host name
    ldap.ldapconn.port: 17000
    ldap.ldapconn.secureConn: false
    ldap.ldapconn.version: 2
    ldap.basedn: o=mydomain.com
    ldap.minConns: 3
    ldap.maxConns: 5

  11. Click OK.
    12.

Note If you leave the dnpattern field blank, the dnpattern used by default is E=$attr.mail,CN=$attr.cn,O=dn.o,C-$dn.c. This pattern works well with Communicator and other browsers. However, end-entity certificates for use with S/MIME may not work correctly if the E attribute is not present. Certificate display will not work correctly if the C and O attributes are left out.

 Add a User to the Directory

The users and groups of your organization are kept in the organization's global directory. Since you are using the configuration directory that you installed with the demo to simulate such a global directory, you must add a user to the configuration directory's user and groups subtree. (Notice that this is a different operation from adding a user or group to the Certificate Manager's internal database.)

To add a user to the configuration directory's user and groups subtree:
  1. Start Netscape Console again, or go back to the main window.
    2.

  2. Select the Users and Groups tab and click Create.

  3. In the Select Organization Unit dialog box, select People and click OK.

  4. In the Create User dialog box fill out the required fields as follows:

    5. First Name: User
    Last Name: Two
    Full Name: User Two
    User ID: User2
    Password: <User2 password>
    Confirm password: <User2 password>
    E-Mail: your email address

  5. Click OK.

    6. You can see that User Two has been added to the list of users.

Enroll with Directory-Based Authentication

Now that there is a user in the authentication directory, you can test directory-based authentication.

  1. Open a browser and go to the SSL end-user gateway:
    2.  

    	https://mymachine.mydomain.com:17005

  2. In the Enrollment panel under User Enrollment, click Directory-based.

  3. Fill out the enrollment form as follows:

    4. User ID: User2
    Password: <User2 password>
    Key Length: Select 512 (High Grade)

  4. Click Submit.
    5.

  5. A dialog box asks whether to generate a private key. Click OK, and provide your key database password if necessary.

    6. The new certificate is issued immediately, and a dialog box appears that asks whether you want to install it in your browser.

You have now completed the default demo. Before you attempt to install more sophisticated pilots or a full-scale deployment, you should read Chapter 3, "Planning Your Deployment," and the chapters that follow.

 

© Copyright 1999 Netscape Communications Corp., a subsidiary of America Online, Inc. All rights reserved.