Configuration Guide - IBMpublib.boulder.ibm.com/tividd/td/IBM_TA/SH09-4529... · Configuration Guide Version 3 Release 1.2 ... v Policy exits enable application developers to customize

IBM®

SecureWay®

Trust Authority

Configuration GuideVersion 3 Release 1.2

SH09-4529-01

��

IBM®

SecureWay®

Trust Authority

Configuration GuideVersion 3 Release 1.2

SH09-4529-01

��

Note!Before using this information and the product it supports, read the general information under “Notices” on page 49.

Second Edition (June 2000)

This edition applies to IBM SecureWay Trust Authority, program 5648-D09, version 3 release 1 modification 2, andto all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 1999, 2000. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Chapter 1. About Trust Authority . . . . 1

Chapter 2. Overview . . . . . . . . . 3

Chapter 3. How do I...? . . . . . . . . 5Prepare for configuration . . . . . . . . . . 5

Set up the workstation . . . . . . . . . . 5Collect configuration data . . . . . . . . . 6

Configure the system . . . . . . . . . . . 9Run the Setup Wizard . . . . . . . . . . 9Run CfgStart on AIX . . . . . . . . . . 10Run CfgStart on Windows NT . . . . . . . 11Import configuration data . . . . . . . . 12Set up remote servers . . . . . . . . . . 13Specify DNs by typing them. . . . . . . . 14Use the DN Editor . . . . . . . . . . . 15View configuration messages . . . . . . . 17Verify the configuration . . . . . . . . . 18

Prepare for production . . . . . . . . . . 19Secure the Setup Wizard . . . . . . . . . 20Change Directory permissions on AIX . . . . 20Change server passwords. . . . . . . . . 20Edit configuration files . . . . . . . . . 21Authorize registrars . . . . . . . . . . 21Back up the Trust Authority system . . . . . 21Directory changes for DN flexibility . . . . . 22Modify the ACL for new LDAP Suffix . . . . 22

Customize the registration domain . . . . . . 22Reconfigure the system . . . . . . . . . . 23Use Trust Authority With Policy Director . . . . 23Uninstall Trust Authority . . . . . . . . . . 24

Uninstall from AIX . . . . . . . . . . . 24Uninstall from Windows NT. . . . . . . . 27

Chapter 4. Tell me about... . . . . . . 29Auditing . . . . . . . . . . . . . . . 29Certificate authorities . . . . . . . . . . . 30DB2® databases . . . . . . . . . . . . . 30

Directories. . . . . . . . . . . . . . . 31Directory trees . . . . . . . . . . . . 31Root DNs . . . . . . . . . . . . . . 32Directory administrators . . . . . . . . . 32

PKIX CMP connections . . . . . . . . . . 32Registration domains . . . . . . . . . . . 33SSL connections . . . . . . . . . . . . . 33Web servers . . . . . . . . . . . . . . 344758 coprocessors . . . . . . . . . . . . 35

Chapter 5. Reference . . . . . . . . 37Startup options . . . . . . . . . . . . . 37Import options . . . . . . . . . . . . . 37Trust Authority password options . . . . . . . 38CA and Audit server options . . . . . . . . 38CA key options . . . . . . . . . . . . . 39Directory server options . . . . . . . . . . 40Directory root options . . . . . . . . . . . 41Directory administrator options. . . . . . . . 42Registration domain options . . . . . . . . . 42Public Web server options . . . . . . . . . 43Secure Web server options . . . . . . . . . 44Trust Authority Client options . . . . . . . . 44Configuration summary . . . . . . . . . . 45Save configuration data . . . . . . . . . . 45Configuration process . . . . . . . . . . . 45Keyboard alternatives for mouse actions. . . . . 46National language considerations . . . . . . . 47

Notices . . . . . . . . . . . . . . 49Trademarks and service marks . . . . . . . . 50

Related information . . . . . . . . . 53

Glossary . . . . . . . . . . . . . . 55

Index . . . . . . . . . . . . . . . 67

© Copyright IBM Corp. 1999, 2000 iii

||||

iv Trust Authority: Configuration Guide

Chapter 1. About Trust Authority

IBM®

SecureWay®

Trust Authority provides applications with the means toauthenticate users and ensure trusted communications:v It allows organizations to issue, publish, and administer digital certificates in

accordance with their registration and certification policies.v Support for Public Key Infrastructure for X.509 version 3 (PKIX) and Common

Data Security Architecture (CDSA) cryptographic standards allows for vendorinteroperability.

v Digital signing and secure protocols provide the means to authenticate all partiesin a transaction.

v Browser- and client-based registration capabilities provide maximum flexibility.v Encrypted communications and secure storage of registration information ensure

confidentiality.

A Trust Authority system can run on IBM® AIX/6000®

and Microsoft® WindowsNT® server platforms. It includes the following key features:v A trusted Certificate Authority (CA) manages the complete life cycle of digital

certification. To vouch for the authenticity of a certificate, the CA digitally signseach one it issues. It also signs certificate revocation lists (CRLs) to vouch for thefact that a certificate is no longer valid. To further protect its signing key, youcan use cryptographic hardware, such as the IBM SecureWay® 4758 PCICryptographic Coprocessor.

v A Registration Authority (RA) handles the administrative tasks behind userregistration. The RA ensures that only certificates that support your businessactivities are issued, and that they are issued only to authorized users. Theadministrative tasks can be handled through automated processes or humandecision-making.

v A Web-based enrollment interface makes it easy to obtain certificates forbrowsers, servers, and other purposes, such as virtual private network (VPN)devices, smart cards, and secure e-mail.

v A Windows® application, the Trust Authority Client, enables end users to obtainand manage certificates without using a Web browser.

v A Web-based administration interface, the RA Desktop, enables authorizedregistrars to approve or reject enrollment requests and administer certificatesafter they have been issued.

v An Audit subsystem computes a message authentication code (MAC) for eachaudit record. If audit data is altered or deleted after it has been written to theaudit database, the MAC enables you to detect the intrusion.

v Policy exits enable application developers to customize the registrationprocesses.

v Integrated support for a cryptographic engine. To authenticate communications,the core Trust Authority components are signed with a factory-generated privatekey. Security objects, such as keys and MACs, are encrypted and stored inprotected areas called KeyStores.

v Integrated support for IBM SecureWay Directory. The Directory storesinformation about valid and revoked certificates in an LDAP-compliant format.

© Copyright IBM Corp. 1999, 2000 1

v Integrated support for IBM WebSphere™

Application Server and IBM HTTPServer. The Web server works with the RA server to encrypt messages,authenticate requests, and transfer certificates to the intended recipient.

v Integrated support for the award-winning IBM DB2®

Universal Database.

2 Trust Authority: Configuration Guide

Chapter 2. Overview

After installing the Trust Authority software, you must run the Setup Wizard toconfigure the system for your environment. For example, you need to specifywhere the different server programs were installed so that they can communicate.v Select a ″How do I...?″ topic to learn about configuration-related tasks, such as

how to define distinguished names, how to verify the configuration process, andhow to prepare the system for release in a production environment.

v Select a ″Tell me about...″ topic to learn about concepts you need to understandwhen configuring the system. For example, you can learn about how TrustAuthority interacts with the Directory or obtain guidelines for usingcryptographic hardware.

v Select a ″Reference″ topic to learn about the values you can or must specifywhen running the Setup Wizard.

For the latest product information, you should review the Readme file before youbegin to configure the system. The latest version of the Readme file is available atthe IBM SecureWay Trust Authority Web site:http://www.tivoli.com/support


http://www.tivoli.com/support


Chapter 3. How do I...?

The topics in this section show you how to configure IBM SecureWay TrustAuthority. Typical tasks include the following:v Collecting information that you need to configure your systemv Using the Distinguished Name Editor to define DNsv Setting up Trust Authority server programs and databases on remote machinesv Importing a set of configuration values to a new Trust Authority systemv Verifying that the system is configured correctly

After you configure the system, you should review several topics that can help youput your new Trust Authority system into production mode. Procedures are alsoavailable for uninstalling the product software, if you decide you need to remove itfrom your system.

Prepare for configurationBefore you begin to configure IBM SecureWay Trust Authority, you need to makesure that your workstation is set up correctly to run the Setup Wizard. You alsoneed to gather information about your environment so that you can provideappropriate responses in the Setup Wizard.

Review the guidelines in the following sections to make sure that you are ready tobegin the configuration process.

Set up the workstationFor best performance, you should run the Setup Wizard on a machine that isseparate from the Trust Authority server machine. Doing so ensures that themaximum amount of system resources are available for running the applet.

To run the Setup Wizard, IBM recommends the following workstationconfiguration:v The following physical machine setup:

– Intel Pentium® processor with at least 96 MB of RAM, or better– A computer display that supports 1024x768 or higher resolutions at 65536

colors, or betterv One of the following operating systems:

– IBM AIX®

– Microsoft Windows 95, Windows 98, or Windows NTv A Web browser that supports JDK 1.1–based applets, such as:

– Netscape Navigator and Netscape Communicator, version 4.05 or later– Microsoft Internet Explorer, version 4.01 or later

v The Java Swing Library (swingall.jar) version 1.1, locally installed. If you do notalready have this version of the library, you can download it when you accessthe URL for the Setup Wizard. See “Run the Setup Wizard” on page 9 for details.

Browser Considerations:You must install the official version of the browser as distributed byNetscape or Microsoft. Versions obtained from third-party vendors may notdisplay information correctly, especially when running the applet in alanguage other than English.


If you need to run the Wizard on the Trust Authority server, and arerunning it on a Windows NT platform, you should use Microsoft InternetExplorer version 5.0 or later. The performance of the applet under aNetscape browser is much slower.

If you need to run the Setup Wizard with a Netscape browser, and arerunning it on an AIX platform, you will not be able to view the progress ofthe configuration process. Note that the configuration program runs to asuccessful completion, but you will not be able to view the process statusas it progresses.

Make sure that your browser does not use an HTTP proxy to access theTrust Authority server. If it does, the applet may experience varioustime-outs that could cause the configuration progress display to fail.

Collect configuration dataDuring configuration, the Setup Wizard prompts you for the information shown inthe “Trust Authority Configuration Data Form” on page 7. You should gather thisinformation before starting the configuration process.

If you plan to install more than one Trust Authority server, you may want to printthe form and record your choices. It may help you identify the particular set ofconfiguration values that you want to import to a new installation.

Note: The Setup Wizard provides default values for many of the configurationoptions. In most cases, you should accept these values. Change them only ifyou are sure you need to do so.


Trust Authority Configuration Data Form

Window Description Default Value Your Value

Import Configuration Data File name of aconfiguration data file youwant to import.

None.

Trust Authority Password Password for the servercomponents. Must contain8 characters.

None.

CA and Audit Server Server virtual host name orIP address.

Fully-qualified host nameof your RA server

Listening port for the CAserver.

1830

Listening port for the Auditserver.

59998

DN for the CA. /C=US/O=YourOrganization/OU=TrustAuthority/CN=TrustAuthority CA

CA Key CA signature algorithm. sha–1WithRSAEncryption v sha-1WithRSAEncryption

CA key size. 1024 v 1024

Should this CA use 4758hardware?

No v Yesv No

If using 4758 hardware, theRSA key size.

1024 v 512v 768v 1024v 2048

Do you want to store theCA key in 4758 hardware?

No (recommended) v Yesv No

Directory Server Server virtual host name orIP address.


Listening port for Directoryrequests.

389

Do you want to use anexisting Directory?

No v Yesv No

Directory Root DN Directory root DN. /C=US/O=YourOrganization/OU=TrustAuthority/CN=Ldap RootDN

Directory root password. None. If you previouslyinstalled the Directory, thismust match the existingroot password.

Chapter 3. How do I...? 7

Window Description Default Value Your Value

Directory Administrator Directory administratorDN.

/C=US/O=YourOrganization/OU=TrustAuthority/CN=DirAdmin

Directory administratorpassword.

None. If you previouslyinstalled the Directory, thismust match the existingadministrator password.

Should the Directoryadministrator update theDirectory?

Yes (recommended) v Yesv No

Registration Domain Domain name. Cannotcontain spaces.

YourDomain

Domain language. English

Domain installationdirectory.

AIX: /usr/lpp/iau/pkrf/Domains

Windows NT: c:\ProgramFiles\IBM\TrustAuthority\pkrf\Domains

Public Web Server Server virtual host name orIP address.


Listening port for requeststhat do not requireencryption orauthentication.

80

Secure Web Server, WithoutClient Authentication

Server virtual host name orIP address.


Listening port for SSLrequests that do not requireclient-authentication.

443

Secure Web Server, WithClient Authentication

Server virtual host name orIP address.


Listening port for SSLrequests that must beclient-authenticated.

1443

PKIX Client Listening port for PKIXCMP requests from clientapplications.

829

Save Configuration Data File name for theconfiguration data file.Type a name that supportsAIX or Windows NTconventions. Do not type afile extension.

DatabaseBackup


Configure the systemWhen you configure IBM SecureWay Trust Authority, you specify options forsetting up the software in your environment. The topics in this section discuss thedifferent ways that you can configure the Trust Authority components. They alsoshow you how to save configuration values for reuse in a later Trust Authorityinstallation. Topics you should review include the following:v Running the Setup Wizardv Importing configuration datav Setting up remote serversv Specifying DNs by typing themv Using the DN Editor to specify DNsv Viewing configuration messagesv Verifying the configuration

Run the Setup WizardWhen you are ready to begin configuration, use this procedure to start and run theSetup Wizard.1. Make sure that your browser is ready to run the applet. This step is critical.

See “Set up the workstation” on page 5 before proceeding.2. Log in as the Trust Authority configuration user (typically, cfguser).3. Access the URL where the index page for the applet was installed. In the

following example, secure_Web_server identifies a secure Web server port onthe machine where you installed the main Trust Authority code:https://secure_Web_server:81/

4. Respond to the browser prompts for accepting a self-signed certificate.v If you are using a Netscape browser, you will be prompted to accept a New

Site Certificate. Click Next repeatedly until you click Finish to accept thecertificate. When prompted, you should choose the option to Accept thiscertificate forever (until it expires).

v If you are using Internet Explorer, you see a message that indicates that thecertificate issuer is unknown. Click Yes to accept the certificate and proceed.

5. Respond to the browser prompt for a username and password with cfguserfor the username prompt, and enter the cfguser password specified when theaccount was created for the password prompt.

6. The browser presents information about the Setup Wizard, such asinformation about how to download and install the version of Swing that isrequired for the applet.

Note: If you have not already done so, download and configure Swing onyour system before proceeding. You must verify that the swingall.jarfile was correctly installed. After adding the CLASSPATH variable toyour system environment, you must restart the browser beforeattempting to load the configuration applet.

In some instances, Microsoft Internet Explorer may rename the file toswingall..jar during the download. To resolve the problem, you caneither rename the file to swingall.jar or download the file again.

7. When you are sure that your workstation is ready to begin the configurationprocess, click the link to CfgSetupWizard.html.


Note: After starting the applet, be patient. You must wait until the appletcompletely loads the configuration database before attempting to enterdata in any fields.

Under Microsoft Internet Explorer, the Java Console (if you elect todisplay it) may show a lengthy security exception. This may happen ifthe Swing UI Manager tries to load a property file that is not accessibleto downloadable applets. You can ignore this harmless exception.

8. Advance through the applet by specifying values and clicking Next toproceed. In many cases, you can accept the displayed default values.v If you type an incorrect value, or if you attempt to proceed before

providing information in a required field, the applet displays a message.Until you supply a value, the following arrow symbol indicates that thefield is missing required data:

v Occasionally, a text entry field may be selected even though it does notcontain text. When this happens, you are prevented from enteringcharacters in the field. To resolve this problem, press the Home key to resetthe selection of the text field and free it to accept text.

v As you move your cursor over a field, the applet displays a brief line ofhelp for that field.

v To view more descriptive information about all the fields in a givenwindow, click a Help button at any time.

v To view detailed information about Trust Authority configuration, click thefollowing book icon while viewing online help. This action opens this book,the Trust Authority Configuration Guide.

9. After saving your configuration values, you must click the Finish button. Thisaction starts the configuration program (CfgStart), updates the serverconfiguration files, and creates the required databases. See “Run CfgStart onAIX” and “Run CfgStart on Windows NT” on page 11 for more informationabout the configuration process.

Note: If you do not click Finish, the applet will be unable to export yourvalues to a configuration file. It will also be unable to display apost-configuration page that contains information that can help youvalidate the configuration and start using Trust Authority.

10. Review the status messages as the configuration programs run. If youinstalled any components on remote machines, you will see messages thatinstruct you to perform an action on the remote system before the process cancontinue.

11. There are several post-configuration steps you must take to verify and securethe system before using it. See “Verify the configuration” on page 18 and“Prepare for production” on page 19 for details.

Run CfgStart on AIXAfter specifying configuration values in the Setup Wizard and clicking Finish, theCfgStart program starts automatically.


If you installed Trust Authority in a multiple machine setup, you must review “Setup remote servers” on page 13 and ensure that you run CfgStart on each machinein the proper order.

The output of configuration process is saved in the following files:v /usr/lpp/iau/logs/instCfg.log. This is the file you should review in a typical

production system.v /usr/lpp/iau/logs/AIXCfgStart.out. This file contains debug-level output

messages that you should use only if there is a need for problem determination.v /usr/lpp/iau/logs/AIXCfgStart.err. This file contains debug-level error

messages that you should use only if there is a need for error determination.

After CfgStart begins, the Setup Wizard may mistakenly return an error messageindicating that the configuration process on the AIX server has failed. You shouldclick OK in the message dialog box and ignore the message. Do not click theFinish button again. Instead, observe the AIXCfgStart.out file to make sure thatconfiguration is proceeding. When the messages in the AIXCfgStart.out file indicatethat Trust Authority configuration has completed successfully, click on Finish toexport your values to a configuration file.

Note: If you determine that a real error has occurred (for example, if you need toadd disk space), address the problem. When you click on Finish again,configuration should proceed from the point where it left off.

If you set up the browser to use a proxy server, which is not recommended, it ispossible to accidentally start more than one instance of the CfgStart program. Youcan tell that this has occurred if you see multiple process description lines as theresult of running the following command:ps -deaf | grep -v grep | grep CfgStart

The result of the above command execution should look similar to the followingline:root 24012 23502 60 16:51:02 - 0:48 /usr/lpp/iau/bin/CfgStart -i

If more than one instance is running, you should kill the extra CfgStart process(that is, the one with the later time stamp) by entering the following command,where process_ID is the number that follows the word root in the precedingsample output:kill process_ID

Run CfgStart on Windows NTIf you installed Trust Authority on Windows NT, you must manually start theCfgStart program after you click the Finish button in the Setup Wizard.

If you installed Trust Authority in a multiple machine setup, you must review “Setup remote servers” on page 13 and ensure that you run CfgStart on each machinein the proper order.

Use the following procedure to run CfgStart. The example shows the defaultinstallation path; your system may be different:1. Open an MS DOS Command window.2. Change to the bin subdirectory of the Trust Authority installation path. For

example:cd "c:\Program Files\IBM\Trust Authority\bin"


3. If you want to capture verbose or detailed output, modify the properties of theMS DOS Command window: Select the Layout tab, and increase the Height ofthe Screen Buffer Size to 9999.

4. Enter one of the following commands:CfgStart (use for standard processing)CfgStart -i (use to obtain verbose information)

While CfgStart is running, you may have problems with windows not being closedcorrectly. If this occurs, wait for the configuration process to end and then exit anyopen windows.

Additionally, if you are running the configuration process on an under-poweredmachine (such as one with less that 96 MB RAM), you might receive an errorindicating that CfgStart is unable to start the IBM HTTP Server instance for yourregistration domain. Actually, the HTTP Server instance (which is the finalcomponent configured by the CfgStart program) is correctly started, but the checkcommand has timed out. All the Trust Authority programs are running, butCfgStart is unable to clean up the passwords in the configuration database. If thisproblem occurs, you should take one of the following actions:v Run CfgStart.exe again. This time it should complete and successfully clean up

the passwords in the database. This is because the HTTP Server instance for theregistration domain is already running (from the previous call to CfgStart.exe),which prevents the check command from timing out.

v Ignore the problem and complete the procedures to verify the configuration andobtain a certificate.

Import configuration dataTo facilitate your ability to set up multiple Trust Authority systems with similarconfigurations, the Setup Wizard saves your configuration values into anexportable file. Later, you can import this file and use it as the baseline for settingup another Trust Authority system.

If you plan to install Trust Authority on multiple servers and set up a similarconfiguration on each, you may want to take advantage of this feature. The abilityto import configurations also facilitates the migration of an existing system thatwas configured for an earlier release of Trust Authority.

Notes:

v If you attempt to import configuration data to a system that is alreadyconfigured, you will destroy all existing data.

v When you import configuration data, you can import it only to a systemthat is running the same operating system. For example, you cannotimport a configuration data file that contains values for an AIX platformand use it to configure Trust Authority under Windows NT.

Use the following procedure as a guideline for importing configuration data.1. Install Trust Authority on one machine. Make a note of the name you give the

data file when you save the configuration data.2. Install a new instance of Trust Authority on a different machine.3. Copy the configuration data file from the first Trust Authority machine to the

second machine.v In AIX, the default path for storing configuration data files is:

/usr/lpp/iau/cfg/cfgdb/


v In Windows NT, the default path for storing configuration data files is:c:\Program Files\IBM\Trust Authority\cfg\cfgdb\

4. Start the Setup Wizard on the new machine. The first window asks you tospecify whether or not you want to import configuration data from a previousinstallation. Click the check box to indicate that you do.

5. The next window instructs you to select the configuration data file you want touse for this installation. Select the file that you copied to this machine.

6. You must also specify whether you are installing a new Trust Authority serveror migrating data from a previous version of the product.

7. When you click Next to continue, the Setup Wizard populates the remainingwindows in the applet with information from the file you imported.

8. Selectively change the few values that need to be different for this installationof Trust Authority.

Set up remote serversIf you installed the CA, Audit, and Directory servers on the same machine as themain Trust Authority and Registration Authority server, the configurationprograms run without prompting for information.

If you installed any server components on a remote machine, the Setup Wizardpauses when it reaches the point where that component needs to be configured.You must go to that machine and run the requested configuration program beforecontinuing with configuration on the main Trust Authority server.

Use the following procedure as a guideline for configuring remote componentsafter you click the Finish button in the Setup Wizard:1. Note the progress in the Status column. When the applet reaches a point where

a component that needs to be configured is not on the main Trust Authorityserver, it displays the message Partially Configured. It also displays a messagewindow that tells you which component needs to be configured next.

2. Follow the instructions in the displayed message and go to the specified remotemachine. You should configure components in the following order:a. RA Server (start configuration for the main Trust Authority server)b. Directory Server (create a database for Directory data and configure the

Directory)c. CA and Audit Server (create databases for CA and Audit data)d. RA Server (create a database for registration data and configure the RA)e. CA and Audit Server (configure the CA and Audit subsystem; the CA starts

at the end of this process)f. RA Server (set up enrollment and configure the HTTP and WebSphere™

Application Servers)3. If you are running AIX, enter the following commands at the remote machine

to catalog the configuration database, where TrustAuthorityServerName is thehost name of the main Trust Authority server:cd /usr/lpp/iau/bin (this is the default path for this program)CfgPostInstall -r

4. Change to the Trust Authority configuration program directory, and run theCfgStart program as cfguser.v In AIX, the default path for this program is:

/usr/lpp/iau/bin/CfgStart


v In Windows NT, the default path for this program is:c:\Program Files\IBM\Trust Authority\bin\CfgStart

The CfgStart program creates the needed database on the remote server andperforms additional configuration tasks. When it reaches the point where itcannot proceed, it displays a message that instructs you to return to the mainTrust Authority server.

5. Go to the main server and click Continue in the message window to proceedwith the configuration process. If you set up any components on a thirdmachine, configuration continues until it reaches the point where configurationof that remote component is required.

6. Repeat the preceding steps to run the requested configuration programs on thatremote machine, and then return to the main Trust Authority server.The Setup Wizard displays a message when all the components have beensuccessfully configured.

Specify DNs by typing them

HintTo facilitate your ability to specify distinguished names (DNs), the SetupWizard includes a graphical user interface, the Distinguished Name Editor.For greatest accuracy, you should use this tool to specify DNs for TrustAuthority instead of typing them.

During configuration, you must specify unique DNs for several Trust Authoritycomponents: the CA, the Directory root, and the Directory administrator. If you arenot familiar with the format of DNs in the X.509v3 standard, see “Use the DNEditor” on page 15 for assistance.

If you are familiar with the X.509v3 standard, you can type the DNs as you movethrough the Setup Wizard. Trust Authority supports the following DN attributes:

Entry Length Value

C= 4 The country where the object of the DN is located. This mustmatch a string defined in the ISO 3166 standard.

ST= 128 The state or province where the object of the DN is located.

L= 128 The locality (city or municipality) where the object of the DNis located.

STREET= 128 The street address where the object of the DN is located.

O= 64 The name of the organization that the object of this DN isaffiliated with.

OU= 64 The unit within the organization that the object of this DN isaffiliated with, such as a corporate division or a productname. A single DN can contain up to four OU attributes.

CN= 64 The common name for the object of this DN, such as aperson’s full name or the intended purpose of a device.

DC= 64 The domain component, which may consist of one or morerelative distinguished names (RDNs). Each RDN contains acomponent of the entity’s internet domain name, with themost-significant component listed first. For example, theinternet domain name ″CS.UCL.AC.UK″ can be transformedinto /DC=UK/DC=AC/DC=UCL/DC=CS.


When typing the DN, you must adhere to the following DN format requirements:v You must assign a descriptive or common name to identify the object. All other

attributes are optional.v Even though CN= is the only required attribute, a DN cannot be composed of

the CN attribute only; the DN must contain another attribute in addition to theCN= attribute.

v Type the CN= attribute last.v Precede each attribute by a forward slash (/), including the first entry.v Do not use a closing separator.v If a value contains special characters, enclose them in double quotation marks

(″ ″).v If you include location attributes, type them in this sequence: /ST= /L=

/STREET=.v If you include organization attributes, type them in this sequence: /O= /OU=.v You can interleave the location and organization attributes, so long as you

maintain their respective sequences.Trust Authority suggests the following sequences:– /C=/DC=/ST=/L=/STREET=/O=/OU=/CN= (this is the preferred format)– /C=/DC=/ST=/L=/O=/OU=/STREET=/CN=– /C=/DC=/ST=/O=/OU=/L=/STREET=/CN=– /C=/DC=/O=/OU=/ST=/L=/STREET=/CN=

Shown below is an example of a DN entry that uses the preferred format and thedomain name is TRUSTCA.IBM.COM:/C=US/DC=COM/DC=IBM/DC=TRUSTCA/ST=MD/L=Gaithersburg/STREET=800 N. Frederick Avenue

/O=IBM/OU=PKI/CN=TrustCA

See Trust Authority Up and Running for more information about how TrustAuthority uses the Directory.

Use the DN EditorWhenever the Setup Wizard asks you to specify a distinguished name (DN), youcan click the DN Editor icon to start the Distinguished Name Editor.

This graphical user interface makes it easy for you to specify the parts of theDN you want to include. It also keeps you from having to be knowledgeable aboutthe syntax of the DN. You simply fill in the blanks for the attributes you want toinclude in the DN, and then select from a list of attribute sequences.

The DN Editor divides the parts of the DN into several tabbed areas:v One collects general information about the person, program, or device for which

the DN is being created (the object of the DN)v One collects information about the organization that owns the object of the DNv One collects information about where the object of the DN is locatedv One identifies the sequential format for the various parts of the DN

General Information

Common nameType a descriptive name for the object of this DN. For an


***

/iaug.htm

individual, this is typically the person’s full name. For servers,applications, devices, or other objects, you should assign a namethat will help you identify its function or purpose.

CountrySelect the country where the object of this DN is located.

Domain nameType the internet domain name that identifies this entry.

Organization Information

Organization nameOptionally type the name of the organization that the object of thisDN is affiliated with. Typically this is the legally registered nameof the organization. To include an organizational unit, you mustfirst specify the organization name.

Organizational unitOptionally identify the unit within the organization that the objectof this DN is affiliated with. For example, this could be anorganizational division such as Customer Accounts, or a categoryof work such as a product name. You can associate a given DNwith up to four organizational units.

Location Information

State or provinceOptionally identify the state or province where the object of theDN is physically located. This may also be a geographical area thatthe object is associated with in some meaningful way. Typically,this is the location of the organization that the DN is affiliatedwith.

Whether you spell out the full name of the state or province, oruse a standard abbreviation, depends on your registrationpreferences. For example, use either New York or NY.

LocalityOptionally identify the city or municipality where the object of theDN is physically located, such as Chicago or Paris. This may alsobe some geographical area that is meaningful to the object of theDN in some way. To include information about the locality, youmust first specify the state or province.

Street addressOptionally identify the street address where the object of the DN islocated. Typically, this is the street address of the organization thatthe DN is affiliated with. To include a street address, you must firstspecify the locality and the state or province name.

Format Type:After identifying the attributes that will make this DN unambiguous andunique, you must select the attribute sequence. When you select an option,the DN Editor displays an example of what the DN looks like in theselected order.

The sequence you choose depends entirely on how your organizationviews its structure, the entities it intends to include in a givenadministrative domain, and how it intends to use and search the Directory.


For example, if your organization has offices in multiple locations, youmay want to specify location information before organization information.In this approach, a Directory query could be limited to entries that belongto a particular geographical area.

Note that the DN Editor may show truncated text in the right margin ofFormat area where it displays the format of the DN. This is a display error;it does not impact the actual format of the DN being created.

Location firstThis is the default and preferred format, in which all locationinformation precedes organization information. The sequence ofthe attributes is as follows:/Domain name/Country/State or province/Locality/Street address

Organization/Organizational unit/Common name

Street address follows organizationIn this format, information about the organization precedes thestreet address that is associated with the object of the DN. Thesequence of the attributes is as follows:/Domain name/Country/State or province/Locality/Organization

/Organizational unit/Street address/Common name

Locality follows organizationIn this format, information about the organization precedes the cityor municipality that is associated with the object of the DN, and itsstreet address. The sequence of the attributes is as follows:/Domain name/Country/State or province/Organization/Organizational unit

/Locality/Street address/Common name

State or province follows organizationIn this format, information about the organization precedes thelocation information. The sequence of the attributes is as follows:/Domain name/Country/Organization/Organizational unit/State or province

/Locality/Street address/Common name.

View configuration messagesAfter you click the Finish button to start the configuration process, a series ofconfiguration programs run. These programs apply the configuration values youspecified to the various Trust Authority server components and create thecomponent databases.

While the configuration process is running, the Status column provides the generalstatus of each component as it is being configured.

For more detailed information about the progress of the programs, click the ViewAdvanced Messages button.


Troubleshooting on Windows NTThere is a known file locking problem under Windows NT that may causethe Setup Wizard to fail when it tries to retrieve the current contents of theconfiguration log file from an Windows NT server. When you click the ViewAdvanced Messages button, this problem results in a blank dialog window.

If you experience this problem, you should close the blank window, and clickView Advanced Messages again to allow the Setup Wizard to retrieve thecontents of the log file. If the problem persists, you can repeat this actionuntil the window shows the contents of the log file, or go to the TrustAuthority server machine and view the log file directly. The log file,instCfg.log, is located in the logs subdirectory of the installation root. Thefollowing example shows the default installation path:c:\Program Files\IBM\Trust Authority\logs\instCfg.log

Verify the configurationAfter the configuration process ends, you need to confirm that the system iscorrectly configured. This procedure instructs you to verify your ability to obtain acertificate twice: once after the system has been initially configured and again afterthe system has been completely shut down and restarted.1. When configuration is complete, click Exit to exit the Setup Wizard.2. The applet exits to the Trust Authority Configuration Verification page. Click

the link to the enrollment Web site.If the Configuration Verification page is not displayed, you can access theenrollment Web site at the following URL, where MyPublicWebServer is thehost name of your public Web server and MyDomain is the name of yourregistration domain:http://MyPublicWebServer:80/MyDomain/index.jsp

The browser opens the enrollment index page, which in the defaultinstallation is named Credential Central. Your organization may have named itsomething else.

3. Click the link to install our server’s CA certificate. This certificate enablesyour browser to authenticate communications from the enrollment services. Ifyou connect to the enrollment services from this browser in the future, youcan omit this step.

4. In the Certificate Enrollment area:a. Select Enrollment Type → Browser certificate.b. Select Action → Enroll.c. Click OK.

5. Follow the online instructions to complete both parts of the registration form.v When selecting the Type of Certificate in the Registration Information part

of the form, select Web Client Authentication (1 Year). In the defaultinstallation, this action allows the certificate request to be handled by anautomated approval process.

v Click Install CA Certificate to Browser. This certificate defines informationspecific to browser enrollment. When you enroll for browser certificates inthe future, you can omit this step. Note that the first time you enroll for aserver or device certificate, you must select this option again to install theCA certificate that supports that certificate type.


6. When satisfied with your enrollment data, click Submit Enrollment Request.7. Follow the online instructions to check the status of your request. Be sure to

bookmark the status page. This is the easiest way to return and check yourstatus.As a safeguard, you should record the request ID that is displayed after yousubmit the request. If you specified that you wanted to receive an e-mailnotification on the enrollment form, the request ID will be sent to you.

8. The first time you check your status after the request has been approved, thecertificate will be automatically downloaded and installed in your browser.Follow the online instructions in the approval notification to confirm that itwas correctly installed.

9. Follow the procedures in the Trust Authority System Administration Guide tostop all Trust Authority components. If you installed Trust Authority onmultiple machines, be sure to stop each server program in the proper order.

10. Stop the WebSphere Application Server and IBM HTTP Server instancesassociated with the Setup Wizard by entering Ctrl-C in the respectivewindows.

11. Reboot the main Trust Authority machine (the RA Server).12. Follow the procedures in the Trust Authority System Administration Guide to

start all Trust Authority components. If you installed Trust Authority onmultiple machines, be sure to start each server program in the proper order.

13. Repeat the preceding steps (step 2 on page 18 through step 8) to again confirmyour ability to obtain a browser certificate.

After successfully installing this second certificate, your system is ready to beginprocessing requests. For complete information about the enrollment process andthe different types of certificates available to users, see the Trust Authority User’sGuide.

Prepare for productionAfter verifying the installation of your new Trust Authority system, there areseveral steps you should take to finalize the system’s setup and secure it for aproduction environment.v Secure the Setup Wizard.v Change Directory permissions (AIX only)v Change the server passwords.v Edit configuration files (only if necessary).v Authorize registrars.v Back up the newly configured system.v Customize the registration domain.v Educate your administrators and users. Refer to the following books for

assistance:– Trust Authority RA Desktop Guide, for information about how to access and use

the RA Desktop to administer certificates.– Trust Authority User’s Guide, for information about using the browser-based

enrollment forms and the Trust Authority Client application to obtain andmanage certificates.


/iaus.htm

/iaus.htm

/iauu.htm

/iauu.htm

/iaud.htm

/iauu.htm

Secure the Setup WizardAfter running the Setup Wizard and applying configuration values, you shouldsecure the applet to protect it from being run on this Trust Authority server again.Once you have configured a given Trust Authority system, you cannot reconfigureit. Although there are flags in the configuration programs to prevent certaincomponents from being configured again, you may want to take additional steps tosafeguard the applet.

To prevent the Setup Wizard from being run again, you should rename it or moveit to a directory where it cannot be readily accessed. During installation, the SetupWizard is installed at the following locations:v In AIX, the default path for the applet is:

/usr/lpp/iau/cfg/CfgSetupWizard.html

v In Windows NT, the default path for the applet is:c:\Program Files\IBM\Trust Authority\cfg\CfgSetupWizard.html

Change Directory permissions on AIXIf you configured Trust Authority on an AIX platform, you need to change theownership permissions for the slapd.conf file. During configuration, TrustAuthority sets the owner of certain Directory configuration files to cfguser.cfggrp.You need to change the owner to ldap.ldap. Doing so will allow the Directoryadministrator to make changes necessary for other products that may share theDirectory with Trust Authority. To do this, take the following steps:1. Log in as root.2. Enter the following command to change directories:

cd /usr/ldap/etc

3. Enter the following command to set the appropriate ownership permissions:chown ldap.ldap slapd.conf

Change server passwordsWhen you configure Trust Authority, you specify the following passwords:v One to secure the Trust Authority server componentsv One for the Directory rootv One for the Directory administrator

You need to remember these passwords to be able to run certain administrativetools. Furthermore, before putting your system into production mode, you mustrun the Change Password utility and specify a password for each trustedcomponent. To secure your system, control access to it, and allow the componentsto be started securely, this step is critical.

The keys that enable the server components to be authenticated are stored inseparate encrypted KeyStores. The first time you run the utility, you must specifythe passwords that you specified during configuration.v You must specify the Trust Authority server password to access most of the

component KeyStores and change their passwords.v You must specify the Directory administrator password to access the Directory

Administrator KeyStore and change its password.

After you change a password, only the authorized component can access theKeyStore and the keys and encrypted data in it.


For complete information about using the Change Password utility, see the TrustAuthority System Administration Guide.

Edit configuration filesAfter you save your configuration values and start the configuration process, theconfiguration programs update several configuration files. These files control theruntime behavior of the product components.

You can and should use the configuration values as they are set during theconfiguration process. However, you may want to adjust certain values to bettermeet the needs of your operational environment. For example, you may want toadjust a server timeout value or adjust a polling interval.

To facilitate your ability to change operational values, Trust Authority provides autility for editing configuration files. Before using the IniEditor utility to makechanges to a configuration file, be sure to create a backup copy of the file.

For information about editing Trust Authority configuration files, and informationabout which parameters you can or cannot change, see the Trust Authority SystemAdministration Guide.

Authorize registrarsTrust Authority supports automated approval for registration requests. To permit ahuman administrator to review requests, and approve or reject them accordingly,you must designate the user as a Trust Authority registrar. After being authorized,the registrar can run the RA Desktop to administer certificates and enrollmentrequests. To support your registration work load, you can authorize any number ofregistrars.

To facilitate this process, Trust Authority provides a command line utility. Whenyou use the add_rauser utility to authorize an administrative user, you identify theregistration domain and specify the user’s privileges. For example, you mightauthorize one registrar to approve and reject requests only, but authorize anotherregistrar to revoke certificates as well.v For information about adding registrars, see the Trust Authority System

Administration Guide.v For information about accessing and using the RA Desktop, see the Trust

Authority RA Desktop Guide.

Back up the Trust Authority systemBefore putting your system into production, make sure that you have a currentbackup of all server components and their database repositories. This includes:v The main Trust Authority server, including the Registration Authority, all Trust

Authority core software and support utilities, and the databases created forconfiguration and registration data.

v The Web server, including WebSphere Application Server and HTTP Server.v The Directory server, including the Directory’s database.v The CA and Audit server, including the databases created for CA and Audit

data.v The 4758 coprocessor, if installed and used with this installation of Trust

Authority.


/iaus.htm

/iaus.htm

/iaus.htm

/iaus.htm

/iaus.htm

/iaus.htm

/iaud.htm

/iaud.htm

For information about backing up the components you need to protect in TrustAuthority, see the Trust Authority System Administration Guide.

Directory changes for DN flexibilityIf the production environment involves issuing certificates using domain namesoutside the CA’s branch, modify SecureWay Directory to allow Trust Authority tocreate the branches in the Directory:1. Determine which suffixes need to be added.2. Modify the slapd.conf files to add the suffix to the Directory.3. Restart slapd.4. Add the object in the Directory database corresponding to the suffix.5. Modify the ACL’s for each suffix.6. Ensure that the ldap_autoCreate_entries in the raconfig.cfg file is set to true.

Modify the ACL for new LDAP SuffixTrust Authority binds to SecureWay Directory using the Directory Administratoruserid and password. Each new suffix needs to include the DirectoryAdministrator in it’s ACL. For example, an ACL where the Directory Administratorwas added to a suffix would be:access-id:CN=DIRADMIN,OU=TRUST AUTHORITY,O=YOUR ORGANIZATION,C=US:object:ad:normal:rwsc:sensitive:rwsc:critical:rwsc

Also, new suffixes for the anonymous user (CN=ANYBODY) need to have:group:CN=ANYBODY:normal:rsc:sensitive:rsc

where normal, sensitive and critical are the classes of ACLs and rwsc are thepermission levels: read, write, search and compare.

Customize the registration domainYour registration domain can use the registration facility provided with TrustAuthority as provided. However, you may want to change some of the enrollmentforms or registration processes to reflect your organization’s specific goals fordigital certification. For example, you may want to display your corporate logo onthe browser enrollment forms. You may also want to create or customize acertificate profile so that it supports the particular class of users, servers, or devicesbeing enrolled.

After you install Trust Authority and run the Setup Wizard, you can customizemany of the files that define your registration domain for your business purposes.As with any customization task, be sure to make a backup copy of any file youplan to change.

You can customize the following files. During configuration, these files are createdin the directory path for the registration domain.v The configuration files (file type .cfg) installed in the etc subdirectory. For

example, you may want to adjust an operational setting for the RA server or RADesktop.

v The sample notification letters (file type .ltr) installed in the etc subdirectory.Trust Authority provides sample text to inform users when a request has beenapproved or rejected but you may want to write your own.


|

|||

|

|

|

|

|

|

|

||||

||

|

|

||

/iaus.htm

v The HTML files (file type .html), graphics (file type .gif), and Java Server Pages(file type .jsp) installed in the webpages subdirectory. For example, you maywant to alter the text and graphics displayed in the browser enrollment forms.You can also customize an existing certificate profile or define a new one tosupport your organization’s certificate policies.

v The policy exit (policy_exit) installed in the bin subdirectory. Trust Authorityprovides this exit as an example of how to handle automated approvalprocessing. You can write other exits to integrate registration processing withyour other applications or to call your own processing actions.

For information about changes you can make to your registration and certificationprocesses, and for instructions on how to do so, see the Trust AuthorityCustomization Guide.

Reconfigure the systemAfter you apply configuration values and run the configuration programs for thisinstallation of Trust Authority, you cannot reconfigure the system.

You can edit configuration values to change certain operational controls, but youcannot re-run the Setup Wizard to alter a previously configured system.

Note: If you attempt to reconfigure the system, you risk destroying all existingconfiguration data.

See the Trust Authority System Administration Guide for information about theconfiguration parameters that you can update after you configure the system.

Use Trust Authority With Policy DirectorYou can set up IBM SecureWay Policy Director to share the Directory with TrustAuthority and accept certificates signed by a Trust Authority CA. The followingsteps summarize the procedure you should follow to set up Trust Authority andPolicy Director so that they can interact and share secure resources.1. Install and configure Trust Authority and make sure that it is working properly

on its own.

Note: To prepare for Policy Director, you should modify the default Directoryroot DN when running the Setup Wizard. For Policy Director, the rootDN cannot contain any spaces. Furthermore, the default root DN is longand created as a branch in the Directory. Altering it will help you toachieve symmetry in the Directory tree.

If you configured Trust Authority on an AIX platform, be sure to followthe steps in “Change Directory permissions on AIX” on page 20. Doingso is critical to your ability to configure Policy Director to use theDirectory.

2. Install and configure DCE. Make sure that it is working properly on its ownand enter the following command to confirm that the DCE services areavailable:dcecp -c cell ping

3. On the Directory server, create Directory the entries that are required by PolicyDirector. Make sure that there are no spaces following any commas in the DNs.Refer to the Policy Director documentation for details about the requiredentries. As a general guideline:


/iaus.htm

v Set up the Directory Admin port and launch the Admin pages to create therequired administrator entries.

v Use the Directory Management console to create the additional requiredentries.

4. Install Netseat and Policy Director. Make sure that the components are active,can communicate, and are working correctly on their own.

At this point, both Trust Authority and Policy Director are correctly configured toshare the same Directory.

Uninstall Trust AuthorityUse the following procedures if you need to uninstall the Trust Authority product.For example, you may want to uninstall a version of Trust Authority you set upfor test purposes before installing a system you intend to use in production.

Separate procedures exist for the supported server platforms.

Uninstall from AIXIf you installed the Trust Authority server components on an AIX system, use thefollowing procedure only if you need to uninstall the product. Review thefollowing guidelines before removing the Trust Authority software:v If you installed the components on multiple machines, you must repeat the

following steps to remove software from each machine.v If you receive any error messages about processes not existing, you can ignore

the messages and continue. This procedure provides general guidance; processesactually running on your system may be different.

v This procedure assumes that you use the default installation paths and databasenames. If your installation is different, adapt the procedure accordingly.

1. Enter the following commands to stop the Trust Authority components:su - cfgusercd /usr/lpp/iau/bin./Stop_TA.sh

This command should stop the WebSphere Application Server, all httpdinstances associated with Trust Authority , the RA Server, the CA Server, theAudit Server, and the Directory Server.

2. Stop all remaining httpd instances. First, use the ps command to list therunning httpd processes, and then use the kill command to stop them. Shownbelow are examples of how to use these commands along with sample output.$ ps -ef | grep httpdcfguser 22766 15664 0 15:57:00 pts/3 0:00 grep httpdcfguser 24440 27132 0 14:01:15 - 0:00 /usr/lpp/HTTPServer/sbin/httpd -f

/usr/lpp/iau/etc/httpd-CfgApplet.confcfguser 25752 27132 0 09:08:42 - 0:01 /usr/lpp/HTTPServer/sbin/httpd -f

/usr/lpp/iau/etc/httpd-CfgApplet.confroot 27132 1 0 Oct 09 - 0:12 /usr/lpp/HTTPServer/sbin/httpd -f

/usr/lpp/iau/etc/httpd-CfgApplet.conf$ suroot's Password: password# kill 24440 25752 27132

3. Use the ps and kill commands to identify and then stop any remaining slapdprocesses owned by cfguser. If there is no slapd in the process table, proceedto the next step.


# ps -ef | grep slapdcfguser 13942 1 0 09:51:41 pts/1 0:00 /usr/bin/slapd -f /etc/slapd.confroot 24444 22768 0 15:58:48 pts/3 0:00 grep slapd# kill 13942

4. Use the ps and kill commands to identify and then stop all processes ownedby cfguser other than DB2 processes and shells.# ps -ef | grep cfguser | grep -v db2cfguser 15664 33842 0 15:54:58 pts/3 0:00 -kshcfguser 16270 31674 0 09:20:53 pts/1 0:00 -kshcfguser 20566 1 0 Oct 09 - 0:00 /usr/lpp/HTTPServer/sbin/siddcfguser 21978 1 0 13:59:16 pts/1 0:21 java com/ibm/servlet/engine

/outofproc/OutOfProcEngine -nativelogfile /usr/lpp/iau/etc/logs/oop_native.log-native log level 14 -linktype remote -port 8081 -queuename ibmappserve -stublib/usr/WebSphere/AppServer/plugins/aix/libosestub.so -serverlib /usr/WebSphere/AppServer/plugins/aix/libasouts.so

cfguser 11868 1 13 10:21:33 pts/1 0:18 java com/ibm/servlet/engine/outofproc/OutOfProcEngine -nativelogfile /usr/lpp/iau/pkrf/Domains/YourDomain/etc/logs/oop_native.log -nativeloglevel 14 -linktype local -port 8081 -queuenameibmappserve -stublib /usr/WebSphere/AppServer/plugins/aix/libosestub.so-serverlib /usr/WebSphere/AppServer/plugins/aix/libasouts.so

root 22414 22768 0 16:00:23 pts/3 0:00 grep cfgusercfguser 26686 13570 0 15:54:05 pts/3 0:00 -kshcfguser 28748 16270 0 09:22:26 pts/1 0:00 -kshcfguser 29830 16772 0 15:49:54 pts/1 0:00 -kshcfguser 33842 26686 0 15:54:36 pts/3 0:00 -ksh# kill 20566 21978

5. As cfguser, drop the Trust Authority databases. Shown below are examples ofhow to use DB2 commands display and drop the databases, along withsample output.# su - cfguser$ db2(c) Copyright IBM Corporation 1993,1997Command Line Processor for DB2 SDK 5.2.0

You can issue database manager commands and SQL statements from the command prompt.For example:

db2 => connect to sampledb2 => bind sample.bnd

For general help, type: ?.For command help, type: ? command, where command can be the first few keywords

of a database manager command. For example:? CATALOG DATABASE for help on the CATALOG DATABASE command? CATALOG

for help on all of the CATALOG commands.

To exit db2 interactive mode, type QUIT at the command prompt.Outside interactive mode, all commands must be prefixed with 'db2'.To list the current command option settings, type LIST COMMAND OPTIONS.For more detailed help, refer to the Online Reference Manual.

db2 => list db directory

System Database Directory

Number of entries in the directory = 5

Database 1 entry:Database alias = CFGDBDatabase name = CFGDBLocal database directory = /local/cfguserDatabase release level = 8.00Comment =Directory entry type = IndirectCatalog node number = 0


Database 2 entry:Database alias = LDAPDBDatabase name = LDAPDBLocal database directory = /local/cfguserDatabase release level = 8.00Comment =Directory entry type = IndirectCatalog node number = 0

Database 3 entry:Database alias = IBMDBDatabase name = IBMDBLocal database directory = /dbfsibmDatabase release level = 8.00Comment =Directory entry type = IndirectCatalog node number = 0

Database 4 entry:Database alias = ADTDBDatabase name = ADTDBLocal database directory = /dbfsadtDatabase release level = 8.00Comment =Directory entry type = IndirectCatalog node number = 0

Database 5 entry:Database alias = PKRFDBDatabase name = PKRFDBLocal database directory = /dbfspkrfDatabase release level = 8.00Comment =Directory entry type = IndirectCatalog node number = 0

db2 => quitDB20000I The QUIT command completed successfully.$ db2 force application allDB20000I The FORCE APPLICATION command completed successfully.DB21024I This command is asynchronous and may not be effective immediately.$ db2 terminateDB20000I The TERMINATE command completed successfully.$ db2 drop database cfgdbDB20000I The DROP DATABASE command completed successfully.$ db2 drop database ldapdbDB20000I The DROP DATABASE command completed successfully.$ db2 drop database ibmdbDB20000I The DROP DATABASE command completed successfully.$ db2 drop database adtdbDB20000I The DROP DATABASE command completed successfully.$ db2 drop database pkrfdb

6. Enter the following commands to stop DB2:$ db2stopSQL1064N DB2STOP processing was successful.

7. As root, enter the following commands to drop the cfguser database instance:$ suroot's Password: password# /usr/lpp/db2_05_00/instance/db2idrop cfguserDBI1070I Program db2idrop completed successfully.

8. Use the ps and kill commands to identify and then stop all shells that arerunning as cfguser:


# ps -ef | grep cfgusercfguser 15664 33842 0 15:54:58 pts/3 0:00 -kshcfguser 16270 31674 0 09:20:53 pts/1 0:00 -kshcfguser 20570 22768 0 16:02:40 pts/3 0:00 -kshcfguser 26686 13570 0 15:54:05 pts/3 0:00 -kshcfguser 28748 16270 0 09:22:26 pts/1 0:00 -kshcfguser 29830 16772 0 15:49:54 pts/1 0:00 -kshroot 30274 21276 1 16:07:03 pts/3 0:00 grep cfgusercfguser 33842 26686 0 15:54:36 pts/3 0:00 -ksh# kill 15664 16270 20570 26686 28748 3384

9. Enter the following commands to remove cfguser and pkix files:rm -rf /local/cfguserrm -rf /usr/pkix

10. Enter the following command to uninstall the Trust Authority programfilesets:installp -u 'ta.*' 'sway.*'

11. Enter the following command to remove Trust Authority files that werecreated:rm -rf /usr/lpp/iau

12. Enter the following command to shut down and restart the AIX machine:shutdown -Fr

Uninstall from Windows NTIf you installed the Trust Authority server components on a Windows NT system,use the following procedure only if you need to uninstall the product. Review thefollowing guidelines before removing the Trust Authority software:v If you installed the components on multiple machines, you must repeat the

following steps to remove software from each machine.v If you receive any error messages about processes not existing, you can ignore

the messages and continue. This procedure provides general guidance; processesactually running on your system may be different.

v This procedure assumes the default installation drive (c:), Trust Authorityconfiguration user name (cfguser), and Trust Authority database names. If yourinstallation is different, adapt the procedure accordingly.

1. Select Start → Programs → IBM SecureWay Trust Authority → Stop TrustAuthority.

2. After ensuring that all the components have stopped, select Start → Settings →Control Panel.

3. Double-click Add/Remove Programs.4. Select the IBM SecureWay Trust Authority program folder, and click

Add/Remove.5. When prompted to confirm that you want to delete the program, click Yes.6. Open a DB2 command window: Select Start → Programs → DB2 for Windows

NT → Command Window.7. Enter the following commands to uninstall the Trust Authority instance and

databases:set db2instance=cfguserdb2 force application alldb2 terminatedb2 drop db adtdbdb2 drop db pkrfdbdb2 drop db ibmdb


db2 drop db cfgdbdb2stopdb2idrop cfguserrd /s c:\cfguser

8. Enter the following commands to uninstall the Directory instance anddatabase. Note that this procedure assumes that the Directory was installedand configured by Trust Authority; if you configured Trust Authority for anexisting Directory, adapt the steps accordingly.

Note: You do not need to uninstall the Directory. If you want to re-use it, besure to specify that you are using an existing Directory the next timeyou run the Setup Wizard to configure Trust Authority.

set db2instance=ldapInstdb2 force application alldb2 drop db ldapDBdb2stopdb2idrop ldapInstrd /s c:\ldapInst

9. Ensure that all directories installed for Trust Authority have been removed.The default installation path is c:\Program Files\IBM\Trust Authority.Manually delete any directories in this path.

10. Shut down and restart Windows NT.


Chapter 4. Tell me about...

The topics in this section may help you understand and use IBM SecureWay TrustAuthority. They provide general information about Trust Authority features, anddetailed information about the components you must configure when setting up aTrust Authority system.

AuditingIn Trust Authority, the Audit server supports the following activities:v It receives audit events from audit clients, such as the Registration Authority

and Certificate Authority.v It writes the events to an audit log that is typically stored in a DB2 database

(you can choose to store the log as a data file). There is one record in the log peraudit event.

v It allows the audit clients to mask certain audit events. Although some eventsare always logged, you can employ masking to prevent other events from beingreported. This allows you to control the size of the audit logs and ensure thatthe logged events are ones that are of interest in your environment.

v It computes a message authentication code (MAC) for each audit record. TheMAC helps ensure the integrity of the database contents. For example, you candetermine whether a record has been altered, tampered with, or deleted since itwas logged.

v It provides a tool for performing integrity checks on the audit database andarchived audit records.

v It provides a tool for archiving and signing the current state of the auditdatabase. For security purposes, you should archive the audit database and storeit off-site on a periodic basis. Archiving the database can also provideperformance benefits and conserve disk space.

When you run the Setup Wizard, you must identify the host name of the Auditserver. You must also identify a free port where the Audit server can listen forclient requests.

After configuring the system, see the Trust Authority System Administration Guidefor information about the following tasks:v Running the Change Password tool to change the Audit Administrator’s

password. This step is critical for ensuring that only the Audit server accessesthe audit logs or runs the audit administration tools.

v Running the AuditIntegrityCheck tool to check the integrity of the auditdatabase and archived audit files.

v Running the AuditArchiveAndSign tool to archive all records in the currentaudit database table to a file, and then sign the file.


/iaus.htm

Certificate authoritiesA Certificate Authority (CA) acts as a trusted third party to ensure that users whoengage in e-business can trust each other. It vouches for the identity of usersthrough the certificates it issues. In addition to proving the identity of the user, thecertificate includes a public key that enables the user to verify and encryptcommunications.

In such a security model, the trustworthiness of the parties depends on the trustthat is placed in the CA that issued the certificate. To ensure the integrity of acertificate, the CA digitally signs the certificate as part of creating it. Attempts toalter a certificate will invalidate the signature and render it unusable.

The Trust Authority, the CA supports the following activities:v To ensure the uniqueness of a certificate, the CA generates a serial number for

each new certificate and for each renewed certificate. This serial number is aunique identifier that is not stored as part of the distinguished name (DN) in thecertificate.

v To track the certificates it issues, the CA maintains an issued certificate list (ICL).The ICL stores a secure copy of each certificate, indexed by serial number.Typically the ICL is created as a DB2 database.

v To track revoked certificates, the CA creates and updates certificate revocationlists (CRLs). Just as it signs certificates, the CA digitally signs all CRLs to vouchfor their integrity.

v To protect against data tampering, the CA computes a message authenticationcode (MAC) for each record written to the database. The MAC helps ensure theintegrity of the database by enabling you to detect when data in it has beenaltered or deleted.

v To further protect the CA’s signature, the CA can be integrated with the IBMSecureWay 4758 PCI Cryptographic Coprocessor. The 4758 uses a cryptographickey stored in hardware to encrypt and protect the CA’s signing key.

v To support auditing and data recovery, the CA generates audit records fornumerous auditable events. These records are stored in a DB2 database by theAudit server.

For more information about the Trust Authority CA, see the Trust Authority SystemAdministration Guide. For example, that book contains guidelines for adjustingruntime options for the CA server and procedures for establishing cross-certifiedand hierarchical CA trust models.

DB2® databasesIBM SecureWay Trust Authority uses IBM DB2 Universal Database™ to storecertificate data, registration data, and audit logs. Before you run the Setup Wizard,you must ensure that the correct level of DB2 software is available on eachmachine where you installed a Trust Authority server component.

As part of a post-installation process, Trust Authority creates the configurationdatabase and populates it with default data. During configuration, it createsdatabases for the server components. Listed below are the default database names:v cfgdb, for the configuration databasev ibmdb, for the CA databasev pkrfdb, for the registration databasev adtdb, for the audit database


/iaus.htm

/iaus.htm

v ldapdb, for the Directory database (unless you use an existing one)

If you installed any components on remote machines, you must follow theprocedures in “Set up remote servers” on page 13 to ensure that the databases areset up correctly.

DirectoriesIBM SecureWay Trust Authority uses the IBM SecureWay Directory as its centralrepository for public key certificates. Through its integration with DB2, theDirectory can support millions of directory entries. It also enables a clientapplication, such as Trust Authority, to perform storage, update, and retrievaltransactions.

In Trust Authority, the RA server publishes the following information in theDirectory:v Public key certificates, which are used for encryption and authenticationv The attributes associated with a distinguished name (the owner’s roles and

privileges)v Certificate revocation lists that list the serial numbers for all revoked certificatesv Information about the CA that signs the certificates, including the business and

certificate policies associated with the certificate

The Directory provides the means to securely enroll and authenticate users andresources. The Directory defines a common directory schema; that is, the rules bywhich information can be stored in or retrieved from the Directory. The schemaenforces uniformity of data. It also ensures that information about a given user orresource is not stored in multiple locations or formats across the network.

When you run the Setup Wizard, you must specify information that will enable theTrust Authority components to read, store, and update data in the Directory. Inaddition to knowing where the Directory is installed in your network, you need tounderstand:v The Directory treev The Directory root administratorv The Directory administrator

For more information about how Trust Authority interacts with the Directory, see″Using the SecureWay Directory With Trust Authority″. This document is available atthe IBM SecureWay Trust Authority Web site.

Directory treesEach entry in the Directory represents a single object (such as a person,organization, resource, or device) that is identified by a unique and unambiguousdistinguished name. The DN contains a set of attributes that help to uniquelyidentify the object and delineate the object’s privileges. Attributes can specify theobject’s country of origin, the organization the object is affiliated with, and thename the object is known by.

All Directory entries are logically organized into a hierarchical structure that iscalled the Directory tree. This tree has a single root and an unlimited number ofcascading nodes. Each node corresponds to a Directory entry that helps touniquely distinguish subordinate entries from other subordinate entries at the samenode.

Chapter 4. Tell me about... 31


The DN syntax is controlled by the Directory schema and the client that isattempting to access the Directory. When specifying DNs for Trust Authority, youcan type them into data entry fields or use a graphical user interface.v See “Specify DNs by typing them” on page 14 for instructions on how to specify

DNs by using the syntax that is required by Trust Authority.v See “Use the DN Editor” on page 15 for instructions on how to use the

Distinguished Name Editor to define DNs. Using the editor reduces thepossibility for error, and keeps you from having to be knowledgeable about theDN syntax.

Root DNsA root DN is a Directory agent that has the authority to update the entireDirectory tree. It is a configured entity, but it does not actually exist in theDirectory tree.

The root DN also allows Trust Authority to determine basic information about theDirectory server. For example, attributes in the root DN provide the followingcharacteristics about the Directory:v The level of Directory software that is installedv The object classes and attribute schemas known to the serverv The operations and controls that are supported by the serverv The supported security protocols

When you run the Setup Wizard, you must specify a DN and password for theDirectory root. If you are using a Directory that was in place before you installedTrust Authority, you must specify the existing Directory root DN and its password.

Directory administratorsBecause the Trust Authority CA does not directly bind to the Directory, it uses anagent, called the Directory administrator, to manage the subtree where entriessigned by the CA are stored. The Directory administrator, which is specific to aCA, has the authority to update all entries at or below the CA’s entry point in theDirectory tree. This privilege includes the ability to add, delete, change, read,search, and compare Directory entries.

When you run the Setup Wizard, you must specify a DN and password for theDirectory administrator. If you are using a Directory that was in place before youinstalled Trust Authority, you must specify the existing Directory administrator DNand its password.

PKIX CMP connectionsThe Public Key Infrastructure for X.509 version 3 standard (PKIX) evolved out ofthe need to provide a framework to facilitate the interoperability of e-businessapplications. Its primary advantage is that it enables organizations to conductsecure electronic transactions without regard for operating platform or applicationsoftware package.

In Trust Authority, the Client application provides the user interface for handlingrequests that use the PKIX certificate management protocol (CMP). PKIX CMP usesTCP/IP as its primary transport mechanism. When you run the Setup Wizard, youmust identify a free port where the RA server can listen for PKIX CMPconnections.


When a user submits a request to obtain, renew, or revoke a certificate, the Clientcommunicates the request to the Registration Authority. When the certificate isissued, the application stores it on the user’s virtual or physical smart card.Contrast this approach with “SSL connections”, in which a Web browsercommunicates the request to the RA to obtain the certificate for the user.

The Trust Authority Client application allows users to export PKIX certificates toexisting Internet–based or PKI-aware applications, such as Microsoft InternetExplorer and Netscape Navigator. This feature provides flexible and extensiblesupport for multiple Internet-accessible applications, such as secure e-mail.

See the Trust Authority User’s Guide for information about using the Trust AuthorityClient application to obtain and manage certificates.

Registration domainsEach Trust Authority system has a single registration domain. This domain definesthe business policies, certificate policies, and resources relating to yourorganization’s registration and certification processes. Users who want to access aresource must be registered in the domain that governs the use of that resource.

When the RA server software is installed, it contains the framework for theregistration facility. When you run the Setup Wizard, you choose a domain name,domain language, and domain path for the registration processes being run for thisinstallation of Trust Authority.

After you save configuration data and start the configuration process, theconfiguration programs create the registration domain. The system uses thedomain name to formulate the URL through which users access the registrationfacility.

For example, if your public Web server is named MyPublicWebServer, and yourdomain name is MyDomain, you would use the following URL to access theregistration site:http://MyPublicWebServer:80/MyDomain/index.jsp

The default Java Server Page (index.jsp) at this URL is named Credential Central. Itprovides the entry point for collecting enrollment data, registering users, andissuing certificates that support the purposes defined in the default certificateprofiles. As part of customizing the registration facility for this domain, yourorganization may have renamed this page and altered the enrollment forms. It mayalso have added, removed, or changed the certificate profiles.v See “Customize the registration domain” on page 22 for a summary of the ways

in which your organization can customize the registration facility.v See the Trust Authority Customization Guide for complete information about how

to customize registration processing to support your organization’s policies.

SSL connectionsThe Secure Sockets Layer (SSL) protocol uses public key signatures, digitalcertificates, and encryption to provide two communicating parties — typically aWeb server and a browser client — with a trustworthy and private environmentfor exchanging messages.

SSL provides the following advantages over a standard TCP/IP socket connection:


/iauu.htm

v Privacy. All messages exchanged between the client and server are encrypted,and only the two parties that engage in the transaction can decrypt the data.

v Integrity. An integrity check based on a secure hash function ensures that thecorruption of data will not go undetected.

v Authenticity. Through the exchange of digital certificates, the client canauthenticate the identity of the server and, optionally, the server can authenticatethe client.

v Non-repudiation. Through digital signatures, all communications can be tracedto the originating entity, allowing accountability to be proved as necessary.

In a Trust Authority system, separate ports exist for handling different levels ofauthentication. When you run the Setup Wizard, you identify one secure port toprocess SSL connections that require server authentication. You identify a secondsecure port to process SSL connections that require both server and clientauthentication.

The registration facility includes a set of browser enrollment forms that enableusers to communicate SSL requests or obtain certificates for use in SSL-enabledapplications. For example, when a user submits a request to renew a certificate, theuser’s Web browser communicates the request to the Registration Authority. Whenthe new certificate is issued, the RA stores it in the user’s browser. Contrast thisapproach with “PKIX CMP connections” on page 32, in which the Clientapplication communicates the request and installs the certificate for the user.

See Trust Authority User’s Guide for information about using the browser enrollmentforms to obtain, renew, and revoke certificates. That book discusses the differenttypes of certificates that you can obtain by using the default certificate profiles, anddescribes the intended purpose of each certificate type.

Web serversTrust Authority uses a model based on three virtual servers and three ports toprocess client requests. As part of configuring the system, you identify the hostnames and ports that you configured when installing the IBM HTTP Server.

The public Web server uses the HTTP protocol and a single port to handle non-SSLrequests. These requests do not require encryption or authentication.

Two secure Web servers use the HTTPS protocol to handle SSL requests. To ensureconfidentiality, all communication between a client and a secure server isencrypted. Additionally, public key cryptography inherent in an SSL connectionenables the server to be authenticated at session startup. In a Trust Authoritysystem, you configure one of the secure server ports to authenticate the client atsession startup, too.

The following table summarizes this architecture and the default port values.Depending on how your organization set up the firewall, you may need to use thesame port number, such as 443, to process both types of secure requests. If so, seetheTrust Authority Up and Running book for information about setting up IP aliasesfor the different Web server processes. You must define these aliases and portsbefore you run the Trust Authority Setup Wizard.

Protocol SSLServer

AuthenticationClient

Authentication Port Number

HTTP No No No 80


/iauu.htm

/iaug.htm

Protocol SSLServer

AuthenticationClient

Authentication Port Number

HTTPS Yes Yes No 443

HTTPS Yes Yes Yes 1443

4758 coprocessorsAlthough it is optional, you are encouraged to use the IBM SecureWay 4758 PCICryptographic Coprocessor to maximize the security of the CA’s signing key.

As part of installing the 4758 coprocessor, the configuration program generates amaster key and stores it in hardware. In a Trust Authority system, the coprocessorcan use this master key, and an RSA algorithm, to triple-encrypt the CA’s signingkey. This step provides an extra layer of security against attempts to compromiseor otherwise decipher the CA’s signature.

If you decide to use the 4758 coprocessor, you must install it on the machine whereyou install the Trust Authority CA. When you run the Setup Wizard, you specifywhether or not the CA should use the coprocessor to protect its signing key.

In most Trust Authority systems, the CA’s key is not physically stored with themaster key. However, a configuration option allows you override this default — anaction that IBM discourages. If you choose to store the CA’s key in hardware, youneed to assess the following risks:v When the 4758 coprocessor is backed up, only its master key is backed up, not

any other keys stored on the hardware card. Therefore, if the card is damaged orsome other hardware failure occurs, you will lose the CA’s signing key.

v If the CA’s key is lost or compromised, you must take the CA down and bring itup with a new key. While the CA is unavailable, users whose certificates aresigned by the CA cannot use them because there is no means to validate them.

v Because the certificates that were signed with the CA’s original key are nolonger valid, you must issue new certificates signed with the new CA key afteryou re-establish the CA.

For information about installing, configuring, and cloning the 4758 coprocessor, see″Using the SecureWay 4758 Coprocessor With Trust Authority″. This document isavailable at the IBM SecureWay Trust Authority Web site.




Chapter 5. Reference

The topics in this section describe the values you can specify when running theTrust Authority Setup Wizard. Each topic describes a separate window in theapplet.

The final two topics provide general information about the appletv “Keyboard alternatives for mouse actions” on page 46 presents alternative ways

to navigate the applet.v “National language considerations” on page 47 provides tips for running the

applet in a language other than English.

Startup optionsWhen you first start the Setup Wizard, the system tells you the host name of theserver where the main Trust Authority software is installed. If this is not the serveryou intend to configure, click Exit to exit the Setup Wizard. If you exit the SetupWizard before configuration is complete, no data will be saved.

Attention!If you run the Setup Wizard for a machine that is already configured, youwill destroy all existing data. You cannot reconfigure an existing system orimport configuration data to a previously configured system.

Import data from an existing configurationSelect this option only if:v You previously installed and configured a Trust Authority systemv You want to use the existing configuration data as the baseline for

configuring this systemv This new system is installed on the same operating system platform as

the previous system

If you plan to install Trust Authority on multiple servers and set up asimilar configuration on each, you may want to take advantage of thisfeature.

If you check this check box, you will be prompted to select the name of thefile that contains the configuration data you want to import.

Import optionsIf you specified that you want to import data from an existing configuration, youmust specify options about the configuration data you want to import.

Configuration dataThe list box contains a list of all configuration data files that were savedduring previous installations of Trust Authority and copied to thismachine. Scroll the list and select the file that contains the configurationvalues you want to apply to this installation.


The Setup Wizard copies the imported values into the current appletsession. As you advance through the applet, you can keep the displayedvalues, or selectively change values that do not apply to this TrustAuthority system.

New installation or migration

v Click New if you are configuring a new Trust Authority system.The configuration programs will create a new configuration database tohold data for this new instance of Trust Authority.

v Click Migration if you are migrating configuration data. For example,you would choose this option to migrate data from a previous version ofTrust Authority.The configuration programs will copy the existing configurationdatabase for use in this Trust Authority installation.

Trust Authority password optionsYou must specify a password to secure the Trust Authority server components.This password enables the configuration programs to apply your configurationvalues, create the required databases, and update the server configuration files.

Trust Authority passwordThe password you type here must match the password for the TrustAuthority configuration user.v If you installed Trust Authority on AIX, this user is created as cfguser

during the post-installation configuration process. The default passwordis Secure99. If you changed the password after this account was created,be sure to specify that new password here.

v If you installed Trust Authority on Windows NT, you should havecreated this user when setting up Windows before installing the TrustAuthority software. The suggested value is cfguser but your installationmay be different. There is no default password.

Attention!After the configuration process is complete, you must use the ChangePassword utility to specify passwords for several trusted servercomponents. To use that utility, you must specify this same TrustAuthority password.

Confirm Trust Authority passwordType the same password again.

If you specified a password that includes a mix of uppercase andlowercase characters, be sure to type them in the same case here.

CA and Audit server optionsYou must specify options that will enable other Trust Authority components tocommunicate with the Trust Authority certificate authority (CA) and auditingsubsystem.


The Trust Authority CA and Audit server programs must exist on the samemachine. Depending on how your organization installed the software, they may ormay not be on the same machine with the Registration Authority (RA) or theDirectory server.

Host name or IP addressType the fully qualified host name of the machine where the CA and Auditserver programs are installed. You cannot type the short name or alias, norcan you type the IP address.

This is the host name configured for this server in your network’s TCP/IPDomain Name Service (DNS). The default value is the host name of theRegistration Authority server.

Port number for the CA serverIdentify a free port where the Trust Authority CA should listen forrequests. The default value is 1830.

Port number for the Audit serverIdentify a free port where the Trust Authority Audit subsystem shouldlisten for requests. The default value is 59998.

DN for the CAThis distinguished name identifies the CA in the Directory and allowsusers to readily identify which CA signed a certificate they have beenissued. The default value is:/C=US/O=Your Organization/OU=Trust Authority/CN=Trust Authority CA.

If you are familiar with the format of X.509v3 DNs, you can type a uniqueDN for the Trust Authority CA. See “Specify DNs by typing them” onpage 14 for information about how to specify DNs in the format requiredby Trust Authority.

To facilitate your ability to specify a unique DN, and to eliminate thepossibility of error, click the DN Editor icon. See “Use the DN Editor” onpage 15 for information about creating DNs with this tool.

CA key optionsYou must specify an encryption algorithm and key size for the CA’s privatesigning key. If your organization installed the IBM SecureWay 4758 PCICryptographic Coprocessor, you can optionally set up the CA so that it usescryptographic hardware for key protection.

Algorithm for signing certificatesSelect an encryption algorithm for the Trust Authority CA’s digitalsignature. The CA’s signature vouches for the authenticity and integrity ofthe certificates and certificate revocation lists (CRLs) signed by the CA.

In this version of the product, you must select sha–1WithRSAEncryption.

This generates a signature by applying a SHA-1 hash function to thesignature calculation defined in the RSA standard (as developed by Rivest,Shamir, and Adleman). With RSA, the verification of the signature isrelatively fast. However, generation of the signature may take longer thanwhen using other algorithms.

Certificate key sizeThe security of the CA’s digital signature is also a factor of the key size.Generally, the signature algorithm is considered secure when the key size

Chapter 5. Reference 39

is large enough to prevent a reverse computation. While larger key sizesenhance security, they also increase the time needed to verify the signaturewhen establishing a secure session.

In this version of the product, you must select 1024.

Use cryptographic hardwareSelect this option only if:v You installed Trust Authority on an IBM AIX platformv You previously installed the 4758 cryptographic coprocessor on the Trust

Authority CA and Audit server machinev You want to use the 4758 coprocessor to protect the CA’s key

If you do not use the 4758 coprocessor, the CA’s keys are encrypted andstored in a secure KeyStore as always. However, the 4758 coprocessoroffers extended hardware protection by using its master key to encrypt theCA’s signing key.

RSA key sizeIf you specified that you want to use cryptographic hardware, the 4758coprocessor will automatically use an RSA algorithm to encrypt the CA’ssigning key. You must select a key size to be used as input to thecomputation. A larger key size can enhance security, but it also increasesthe time that is needed to verify secure transactions.

Choose one of the following values. The default value is 1024.v 512v 768v 1024v 2048

Store signing key in hardwareIf you specified that you want to use cryptographic hardware, you canchoose whether or not the CA’s signing key should be physically stored inhardware.

The default and recommended value is No.

Attention!When the 4758 coprocessor is backed up, only its master key isbacked up. If the hardware is damaged, you will lose the CA’s key.To resolve the loss, you must bring up the CA with a new key andthen re-issue newly signed certificates to your existing certificateholders.

Select Yes only if you understand the risks involved. See “4758coprocessors” on page 35 for a discussion of risks and corrective actions.

Directory server optionsYou must specify options that will enable Trust Authority to communicate with theIBM SecureWay Directory server. For example, the RA server publishes certificatesand certificate revocation lists (CRLs) in the Directory. Applications need to readinformation in the Directory when assessing the validity of a certificate.


Host name or IP addressType the fully qualified host name of the machine where the Directoryserver software is installed. You cannot type the short name or alias, norcan you type the IP address.

This is the host name that is configured for this server in your network’sTCP/IP Domain Name Service (DNS). It may be a Directory server thatyou use with other applications, or it may be one that you set upspecifically for use with Trust Authority. The default value is the host nameof the Registration Authority server.

Port number for the DirectoryIdentify a free port where the Directory server should listen for requests.The default value is 389.

Use an existing SecureWay DirectoryBy default, this check box is not enabled, which indicates that you want tocreate a new Directory database for use with Trust Authority.

You should check this check box only if you previously installed theSecureWay Directory and want to use it to store information for TrustAuthority.

If you plan to use Trust Authority with an existing Directory, see ″Using theSecureWay Directory With Trust Authority.″ This document is available at theTrust Authority Web site.

Directory root optionsYou must specify a distinguished name (DN) and password for the Directory root.The root is a Directory agent that has the authority to administer all entries in theDirectory tree. It also enables Trust Authority to obtain information about theprotocols and standards supported by the Directory server.

Note: If your Directory server was in place before you installed Trust Authority,you may already have a Directory root configured for it. If so, specify theexisting root DN and its password here.

Root DNIf you are familiar with the format of X.509v3 DNs, you can type a uniqueDN for the Directory root. The default value is:/C=US/O=Your Organization/OU=Trust Authority/CN=Ldap Root DN.

See “Specify DNs by typing them” on page 14 for information about howto specify DNs in the format that is required by Trust Authority.


Root passwordType a password for the Directory’s root.

The password must contain 8 characters. To optimize security, you shouldspecify a string that does not spell a real word. The password should alsouse a mix of uppercase and lowercase characters and include at least onenumber.

If you specify the password for an existing root DN, be aware that TrustAuthority validates only the first 8 characters.



Confirm root passwordType the same password again.


Directory administrator optionsYou must specify a distinguished name (DN) and password for the Directoryadministrator. This agent creates and manages entries within the CA’s subtree inthe Directory. It works with the CA and RA servers to publish information aboutcertificates and certificate revocation lists.

Note: If your Directory server was in place before you installed Trust Authority,you may already have a Directory administrator configured for it. If so,specify the existing DN and its password here.

Directory administrator DNIf you are familiar with the format of X.509v3 DNs, you can type a uniqueDN for the Trust Authority Directory administrator. The default value is:/C=US/O=Your Organization/OU=Trust Authority/CN=DirAdmin.

See “Specify DNs by typing them” on page 14 for information about howto specify DNs in the format that is required by Trust Authority.


Directory administrator passwordType a password for the Directory administrator.

The password must contain 8 characters. To optimize security, you shouldspecify a string that does not spell a real word. The password should alsouse a mix of uppercase and lowercase characters and include at least onenumber.

If you specify the password for an existing Directory administrator, beaware that Trust Authority validates only the first 8 characters.

Confirm Directory administrator passwordType the same password again.


Allow the Directory administrator to update the DirectoryThe Directory administrator should have update privileges so that it canadd, remove, and alter entries in the Directory.

By default, this check box is enabled, which indicates that the Directoryadministrator can update the CA’s subtree in the Directory. Typically, youshould leave this option enabled.

Registration domain optionsYou must specify information about the registration domain for this installation ofTrust Authority. The registration domain defines the business policies, certificatepolicies, and resources specific to a given instance of the registration facility.


Registration domain nameType the name that you want to use to identify your registration domain.The default value is YourDomain. You should change this name tosomething that is meaningful to your organization or the purpose forwhich you are using the registration facility.

The domain name must conform to the directory naming requirements ofyour operating system (AIX or Windows NT). Specifically, you mustadhere to the following rules when determining the name you want to use:v The name must be a valid URL string.v The name cannot contain more than 128 characters.v The name cannot contain spaces or tabs.v The name cannot contain the following special characters: back slash (\),

forward slash (/), colon (:), asterisk (*), question mark (?), quotationmarks (″), angle brackets (< >), vertical bar (|), pound sign (#), dollarsign ($), or apostrophe (’).

Registration domain languageSelect the language for this registration domain.

When users submit a certificate request, or when administrators access theRA Desktop, data will be presented and stored in the selected language.The default value is English.

Choose one of the following values:v Englishv Frenchv Germanv Italianv Spanishv Brazilian Portuguesev Japanesev Koreanv Simplified Chinesev Traditional Chinese

Root installation directoryType the location of the registration domain on the RA server. You mustspecify the fully qualified path.

During configuration, the system sets up the registration domain at thislocation. If you customize the registration facility, you customize files inthis domain. This ensures that any registration activity that addresses thisdomain is governed by the policies that you define for it.v In AIX, the default value for the domain path is:

/usr/lpp/iau/pkrf/Domains

v In Windows NT, the default value for the domain path is:c:\Program Files\IBM\Trust Authority\pkrf\Domains

Public Web server optionsYou must specify options that will enable the Trust Authority components tocommunicate with the public Web server. This server handles requests that do notrequire encryption or authentication.


Host name or IP address for the public serverType the fully qualified host name of the server that is set up to handlepublic requests. You cannot type the short name or alias, nor can you typethe IP address.

When you installed the IBM HTTP Server software, you should haveconfigured a virtual host name for the server program that handlesnon-SSL requests. The default value is the host name of the RegistrationAuthority server.

Port number for the public serverIdentify a free port where the public Web server should listen for requests.The default value is 80.

Secure Web server optionsYou must specify options that will enable the Trust Authority components tocommunicate with the secure Web servers. These servers handle SSL connectionsthat require encryption and server authentication. You must configure one secureserver to handle requests that also require client authentication.v Configure the secure server that handles requests that do not require client

authentication:

Host name or IP addressType the fully qualified host name of the server that is set up to handlethese types of requests. You cannot type the short name or alias, nor canyou type the IP address.

When you installed the IBM HTTP Server software, you should haveconfigured a virtual host name for the server program that handlesrequests that do not require client authentication. The default value isthe host name of the Registration Authority server.

Port numberIdentify a free port where the secure Web server should listen for SSLrequests that require encryption and server authentication, but not clientauthentication. The default value is 443.

v Configure the secure server that handles requests that require clientauthentication:

Host name or IP addressType the fully qualified host name of the server that is set up to handlethese types of requests. You cannot type the short name or alias, nor canyou type the IP address.

When you installed the IBM HTTP Server software, you should haveconfigured a virtual host name for the server program that handlesclient-authenticated requests. The default value is the local host name ofthe Registration Authority server.

Port numberIdentify a free port where the secure Web server should listen for SSLrequests that require encryption, server authentication, and clientauthentication. The default value is 1443.

Trust Authority Client optionsYou must identify a port on the RA server for processing requests from the TrustAuthority Client application.


These connections, such as requests to obtain, renew, or revoke certificates, use thePKIX certificate management protocol (PKIX CMP). Contrast this with requests thatare handled by the secure Web servers, which use the HTTPS protocol to establishSSL connections.

Port number for Trust Authority Client requestsIdentify a free port where the Trust Authority RA server should listen forPKIX requests from a Client application. The default value is 829.

Configuration summaryScroll through the configuration options you specified for the various TrustAuthority components.

If you want to alter any of the settings before applying them, click Previous untilyou return to the component you want to change.

When you are ready to proceed with the configuration process, click Next.

Save configuration dataSaving the configuration data provides you with a backup of your configurationvalues. It also enables you to use the values as the baseline for setting up anotherTrust Authority system.

When you start the Setup Wizard, you are asked whether you want to import datafrom a previous configuration. If you do, you can then select the configurationdata file that contains the values you want to import.

Configuration data nameType a file name for the configuration data. You do not need to type a fileextension. The default value is DatabaseBackup.

Use a name that will allow you to identify this file as the one you want toimport when you configure another Trust Authority system. The name cancontain spaces, but it cannot contain symbols or any characters that are notpermitted by your operating system.

See “Import configuration data” on page 12 for information about the stepsyou must take to import the data to a new Trust Authority server.

To save the configuration data and proceed with the configuration process, clickNext. If you specify a file name that is not permitted by your operating system, theSetup Wizard will prompt you to correct it. Note that if you click Exit to exit theSetup Wizard before you explicitly save the configuration data, none of the valuesyou specified will be saved.

Configuration processAfter saving configuration data for this installation of Trust Authority, you mustapply the values to the system. When you apply the values, the CfgStartconfiguration program begins. During this process, the system creates thecomponent databases and updates the component configuration files.

Note: If you installed any of the server components on a remote machine, theconfiguration programs will pause and prompt you take action on thatremote machine before continuing to the next step in the configurationprocess. See “Set up remote servers” on page 13 for details.


Finish buttonWhen you are ready to begin the configuration process, click Finish.

The Status column displays the progress of the configuration process. Aseach component is updated, the status indicator changes as follows:

Yet to be configuredIndicates that configuration of this component has not begun.

ConfiguringIndicates that configuration of this component has begun.

Partially ConfiguredIndicates that manual intervention is required, such as running aconfiguration program on a remote machine.

ConfiguredIndicates that this component has been configured successfully.

Failed Indicates that this component could not be configured. View themessage logs for more information about the failure.

View Advanced Messages buttonTo see more detailed messages about the configuration process, click ViewAdvanced Messages.

The applet opens a window to display the log messages that are producedby the configuration programs.

Keyboard alternatives for mouse actionsConsult the following table if you want to use the keyboard to make selections inthe Setup Wizard or Distinguished Name Editor instead of using a mouse.

Cursor Focus location Keystroke

Working within the DN Editor

Select another tab label and display thattab.

Right arrow goes to the next tab.Left arrow goes to the previoustab.

Scroll within a tab. Page Down scrolls downward.Page Up scrolls upward.

Exit the DN Editor. Escape.

Moving between fields

Move to the next field from most fields. Tab.

Move to the previous field from mostfields.

Shift-Tab.

Working with items in a combo box

Move through the list of items. Down arrow moves down. Uparrow moves up.

Move to the next field; the currentlydisplayed item remains selected.

Tab.

Working with the items in a list box

Move through the list of items. Down arrow moves down. Uparrow moves up.

Move to the next field; the currentlydisplayed item remains selected.

Tab.


Cursor Focus location Keystroke

Working with a set of radio buttons (a set is considered one field)

Move through the radio buttons and selectone.

Down arrow and Right arrowmove to the next selection. Uparrow and Left arrow move to theprevious selection.

Exit and move to the next field. Tab.

Work with check boxes

Select or deselect the check box. Space bar.

Exit and move to the next field. Tab.

Work with command buttons

Move to a command button. Tab.

Execute the command. Space bar or Enter key.

National language considerationsThis section summarizes the differences between the English version of TrustAuthority and the other languages that it supports. If you run the Setup Wizardusing a non-English version of Trust Authority, review this section to learn aboutdifferences in how information may be displayed or processed in your language.

Specifying Your Registration Domain LanguageIf you plan to run the registration facility in a language other than English,be sure to select your language when specifying configuration options forthe registration domain. The default value is English. If you do not changethis value during configuration, you cannot change it later withoutre-installing the product.

Using ASCII CharactersWhen specifying directory paths or distinguished names (DNs) for the CA,Directory administrator, or Directory root, you must use ASCII characters.You cannot type path names or DNs that contain non-ASCII or double-bytelanguage characters, such as Japanese or Chinese.

Running the Applet in Traditional ChineseIf you use a CHT version of Netscape Navigator or NetscapeCommunicator, version 4.05 or version 4.5, the Setup Wizard index pagemay be returned in English rather than Traditional Chinese. You shouldensure that the language preference in your browser is set to useTraditional Chinese as the primary language, not English.

If you still have problems, it may be a browser limitation caused by howNetscape was localized at your organization. As an alternative, try usingMicrosoft Internet Explorer to load the Setup Wizard.



Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter inthis document. The furnishing of this document does not give you any license tothese patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation Licensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the information. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thisinformation at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.


Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM CorporationDepartment LZKS11400 Burnet RoadAustin, TX 78758U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM’s suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

Trademarks and service marksThe following terms are trademarks of International Business MachinesCorporation in the United States, or other countries, or both:

IBMAIXAIX/6000DB2DB2 Universal DatabaseSecureWayWebSphere

The Trust Authority program (″the Program″) includes portions of DB2 UniversalDatabase. You are authorized to install and use these components only inassociation with your licensed use of the Program for the storage and managementof data used or generated by the Program, and not for other data management


purposes. For example, this license does not include inbound connections to thedatabase from other applications for queries or report generation. You areauthorized to install and use these components only with and on the samemachine as the Program.

The Program includes portions of the IBM WebSphere Application Server and theIBM HTTP Web Server (″IBM Servers″). You are not authorized to install or use theIBM Servers other than in connection with your licensed use of the Program. TheIBM Servers must reside on the same machine as the Program, and you are notauthorized to install or use the IBM Servers separate from the Program.

Java and all Java-based trademarks and logos are trademarks of Sun Microsystems,Inc. in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark in the United States, other countries, or both and islicensed exclusively through X/Open Company Limited.

Pentium is a trademark of Intel Corporation in the United States, other countries,or both.

This program contains security software from RSA Data Security, Inc.Copyright © 1994 RSA Data Security, Inc. All rights reserved.

This program contains Standard Template Library (STL) software fromHewlett-Packard Company. Copyright (c) 1994.v Permission to use, copy, modify, distribute and sell this software and its

documentation for any purpose is hereby granted without fee, provided that theabove copyright notice appear in all copies and that both that copyright noticeand this permission notice appear in supporting documentation.Hewlett-Packard Company makes no representations about the suitability of thissoftware for any purpose. It is provided ″as is″ without express or impliedwarranty.

This program contains Standard Template Library (STL) software from SiliconGraphics Computer Systems, Inc. Copyright (c) 1996–1999.v Permission to use, copy, modify, distribute and sell this software and its

documentation for any purpose is hereby granted without fee, provided that theabove copyright notice appear in all copies and that both that copyright noticeand this permission notice appear in supporting documentation. Silicon Graphicsmakes no representations about the suitability of this software for any purpose.It is provided ″as is″ without express or implied warranty.

Other company, product, and service names may be trademarks or service marksof others.

Notices 51


Related information

The Trust Authority product documentation is available in Portable DocumentFormat (PDF) and HTML format on the IBM SecureWay Trust AuthorityDocumentation CD-ROM. HTML versions of some publications are installed withthe product and are accessible from the user interfaces.

Be aware that the product may have changed since the publications wereproduced. For the latest product information, and for information about accessinga publication in the language and format of your choice, see the Readme file. Thelatest version of the Readme file is available on theIBM SecureWay Trust AuthorityWeb site:http://www.tivoli.com/support

The Trust Authority library includes the following documentation:

Up and RunningThis book provides an overview of the product. It lists the productrequirements, includes installation procedures, and provides informationabout how to access the online help available for each product component.This book is printed and distributed with the product.

System Administration GuideThis book contains general information about administering the TrustAuthority system. It includes procedures for starting and stopping theservers, changing passwords, administering the server components,performing audits, and running data integrity checks.

Configuration GuideThis book contains information about how to use the Setup Wizard toconfigure a Trust Authority system. You can access the HTML version ofthis guide while viewing online help for the Wizard.

Registration Authority Desktop GuideThis book contains information about how to use the RA Desktop toadminister certificates throughout the certificate life cycle. You can accessthe HTML version of this guide while viewing online help for the Desktop.

User’s GuideThis book contains information about how to obtain and managecertificates. It provides procedures for using the Trust Authority browserenrollment forms to request, renew, and revoke certificates. It alsodiscusses how to preregister for PKIX-compliant certificates, and how touse the Trust Authority Client to manage these certificates. You can accessthe HTML version of this guide while viewing online help for the Client.

Customization GuideThis book shows you how to customize the Trust Authority registrationfacility to support the registration and certification goals of your businesspolicies. For example, you can learn how to customize HTML and JavaServer pages, notification letters, certificate profiles, and policy exits.

The Trust Authority Web site includes other documents that may help you install,administer, and use Trust Authority. For example, you can find supplementalguidelines on the Directory schema and learn how to integrate Trust Authoritywith the IBM SecureWay 4758 PCI Coprocessor.



/iaug.htm

/iaus.htm

/iauc.htm

/iaud.htm

/iauu.htm

/iaut.htm



Glossary

This glossary defines the terms and abbreviationsin this book that may be new or unfamiliar andterms that may be of interest. It includes termsand definitions from:v The IBM Dictionary of Computing, New York:

McGraw-Hill, 1994.v The American National Standard Dictionary for

Information Systems, ANSI X3.172–1990,American National Standards Institute (ANSI),1990.

v The Answers to Frequently Asked Questions,Version 3.0, California: RSA Data Security, Inc.,1998.

Numbers4758 PCI Cryptographic Coprocessor. Aprogrammable, tamper-responding cryptographicPCI-bus card offering high performance DES and RSAcryptographic processing. The cryptographic processesoccur within a secure enclosure on the card. The cardmeets the stringent requirements of the FIPS PUB 140-1level 4 standard. Software can run within the secureenclosure. For example, credit card transactionprocessing can use the SET standard.

AAbstract Syntax Notation One (ASN.1). An ITUnotation that is used to define the syntax ofinformation data. It defines a number of simple datatypes and specifies a notation for identifying thesetypes and for specifying values of these types. Thesenotations can be applied whenever it is necessary todefine the abstract syntax of information withoutcurbing how the information is encoded fortransmission.

access control list (ACL). A mechanism for limitingthe use of a specific resource to authorized users.

ACL. Access control list.

action history. Accumulated events in the life cycle ofa credential.

American National Standard Code for InformationInterchange (ASCII). The standard code that is usedfor information interchange among data processingsystems, data communication systems, and associatedequipment. The ASCII set uses a coded character setthat consists of 7-bit coded characters (8 bits including

a bit for parity checking). The character set consists ofcontrol characters and graphic characters.

American National Standards Institute (ANSI). Anorganization that establishes the procedures by whichaccredited organizations create and maintain voluntaryindustry standards in the United States. It consists ofproducers, consumers, and general interest groups.

ANSI. American National Standards Institute.

applet. A computer program that is written in Javaand runs inside a Java-compatible Web browser. Alsoknown as a Java applet.

ASCII. American National Standard Code forInformation Interchange.

ASN.1. Abstract Syntax Notation One.

asymmetric cryptography. Cryptography that usesdifferent, asymmetric keys for encryption anddecryption. Each user receives a pair of keys: a publickey accessible to all, and a private key known only tothe user. A secure transaction can occur when thepublic key and the corresponding private key match,enabling the decryption of the transaction. This is alsoknown as key pair cryptography. Contrast withsymmetric cryptography.

asynchronous communication. A mode ofcommunication that does not require the sender andrecipient to be present simultaneously.

audit client. Any client in the system that sends auditevents to the Trust Authority Audit server. Before anaudit client sends an event to the Audit server, itestablishes a connection with the Audit server. After theconnection is established, the client uses the auditsubsystem client library to deliver events to the Auditserver.

audit log. In Trust Authority, a table in a database thatstores one record per audit event.

Audit server. A Trust Authority server that receivesaudit events from audit clients and writes them to anaudit log.

audit subsystem. In Trust Authority, a subsystem thatprovides the support for logging security-relevantactions. It conforms to recommendations in standardX9.57, of the standards set forth in Public KeyCryptography for the Financial Services Industry.

audit trail. Data, in the form of a logical path, thatlinks a sequence of events. An audit trail enablestracing of transactions or the history of a given activity.


authentication. The process of reliably determiningthe identity of a communicating party.

authorization. Permission to access a resource.

Bbase64 encoding. A common means of conveyingbinary data with MIME.

Basic Encoding Rules (BER). The rules specified inISO 8825 for encoding data units described in abstractsyntax notation 1 (ASN.1). The rules specify theencoding technique, not the abstract syntax.

BER. Basic Encoding Rules.

browser. See Web browser.

browser certificate. A digital certificate is also knownas a client-side certificate. It is issued by a CA throughan SSL-enabled Web server. Keys in an encrypted fileenable the holder of the certificate to encrypt, decrypt,and sign data. Typically, the Web browser stores thesekeys. Some applications permit storage of the keys onsmart cards or other media. See also digital certificate.

business process objects. A set of code used toaccomplish a specific registration operation, such aschecking the status of an enrollment request orverifying that a public key was sent.

business process template. A set of business processobjects that are run in a specified order.

bytecode. Machine-independent code that is generatedby the Java compiler and run by the Java interpreter.

CCA. Certificate authority.

CA certificate. A certificate your Web browser accepts,at your request, from a CA it does not recognize. Thebrowser can then use this certificate to authenticatecommunications with servers that hold certificatesissued by that CA.

CA hierarchy. In Trust Authority, a trust structurewhereby one CA is located at the top of the structureand up to four layers of subordinate CAs are locatedbelow. When users or servers are registered with a CA,they receive a certificate signed that is by that CA, andthey inherit the certification hierarchy of the layersabove.

CA server. The server for the Trust AuthorityCertificate Authority (CA) component.

CAST-64. A block cipher algorithm that uses a 64-bitblock size and a 6-bit key. It was designed by CarlisleAdams and Stafford Tavares.

CCA. IBM Common Cryptographic Architecture.

CDSA. Common Data Security Architecture.

certificate authority (CA). The software responsiblefor following an organization’s security policies andassigning secure electronic identities in the form ofcertificates. The CA processes requests from RAs toissue, renew, and revoke certificates. The CA interactswith the RA to publish certificates and CRLs in theDirectory. See also digital certificate.

certificate extension. An optional feature of theX.509v3 certificate format that provides for theinclusion of additional fields in the certificate. There arestandard extensions and user-defined extensions.Standard extensions exist for various purposes,including key and policy information, subject andissuer attributes, and certification path constraints.

certificate policy. A named set of rules that indicatesthe applicability of a certificate to a particular class ofapplications that have common security requirements.For example, a certificate policy might indicate whethera particular certification type allows a user to conducttransactions for goods within a given price range.

certificate profile. A set of characteristics that definethe type of certificate wanted (such as SSL certificatesor IPSec certificates). The profile aids in managingcertificate specification and registration. The issuer canchange the names of the profiles and specifycharacteristics of the desired certificate, such as thevalidity period, key usage, DN constraints, and soforth.

certificate revocation list (CRL). A digitally signed,time-stamped list of certificates that the certificateauthority has revoked. The certificates in this listshould be considered unacceptable. See also digitalcertificate.

certification. The process during which a trusted thirdparty issues an electronic credential that vouches for anindividual, business, or organizational identity.

CGI. Common Gateway Interface.

chain validation. The validation of all CA signaturesin the trust hierarchy through which a given certificatewas issued. For example, if a CA was issued its signingcertificate by another CA, both signatures are validatedduring validation of the certificate that the userpresents.

class. In object-oriented design or programming, agroup of objects that share a common definition andtherefore share common properties, operations, andbehavior.

cleartext. Data that is not encrypted. Synonym forplaintext.


client. (1) A functional unit that receives sharedservices from a server. (2) A computer or program thatrequests a service of another computer or program.

client/server. A model in distributed processing inwhich a program at one site sends a request to aprogram at another site and waits for a response. Therequesting program is called a client; the answering oneis called a server.

code signing. A technique for signing executableprograms with digital signatures. Code signing isdesigned to improve the reliability of software that isdistributed over the Internet.

Common Cryptographic Architecture (CCA). IBMsoftware that enables a consistent approach tocryptography on major IBM computing platforms. Itsupports application software that is written in avariety of programming languages. Applicationsoftware can call on CCA services to perform a broadrange of cryptographic functions, including DES andRSA encryption.

Common Data Security Architecture (CDSA ). Aninitiative to define a comprehensive approach tosecurity service and security management forcomputer-based security applications. It was designedby Intel, to make computer platforms more secure forapplications.

Common Gateway Interface (CGI). Standard methodof transmitting information between Web pages andWeb servers.

confidentiality. The property of not being divulged tounauthorized parties.

credential. Confidential information used to proveone’s identity in an authentication exchange. Inenvironments for network computing, the mostcommon type of credential is a certificate that a CA hascreated and signed.

CRL. Certificate revocation list.

CRL publication interval. Set in the CA configurationfile, the interval of time between periodic publicationsof the CRL to the Directory.

cross-certification. A trust model whereby one CAissues to another CA a certificate that contains thepublic key associated with its private signature key. Across-certified certificate allows client systems or endentities in one administrative domain to communicatesecurely with client systems or end entities in anotherdomain.

cryptographic. Pertaining to the transformation ofdata to conceal its meaning.

cryptography. In computer security, the principles,means, and methods for encrypting plaintext anddecrypting encrypted text.

Ddaemon. A program that carries out tasks in thebackground. It is implicitly called when a conditionoccurs that requires its help. A user need not be awareof a daemon, because the system usually spawns itautomatically. A daemon might live forever or thesystem might regenerate it at intervals.

The term (pronounced demon) comes from mythology.Later, it was rationalized as the acronym DAEMON:Disk And Execution MONitor.

Data Encryption Standard (DES). An encryptionblock cipher, defined and endorsed by the U.S.government in 1977 as an official standard. IBMdeveloped it originally. DES has been extensivelystudied since its publication and is a well-known andwidely used cryptographic system.

DES is a symmetric cryptographic system. When it isused for communication, both the sender and receivermust know the same secret key. This key is used toencrypt and decrypt the message. DES can also be usedfor single-user encryption, such as to store files on ahard disk in encrypted form. DES has a 64-bit blocksize and uses a 56-bit key during encryption. It is wasoriginally designed for implementation in hardware.NIST has recertified DES as an official U.S. governmentencryption standard every five years.

Data Storage Library (DL). A module that providesaccess to persistent data stores of certificates, CRLs,keys, policies, and other security-related objects.

decrypt. To undo the encryption process.

DEK. Document encrypting key.

DER. Distinguished Encoding Rules.

DES. Data Encryption Standard.

Diffie-Hellman. A method of establishing a sharedkey over an insecure medium, named after theinventors (Diffie and Hellman).

digital certificate. An electronic credential that isissued by a trusted third party to a person or entity.Each certificate is signed with the private key of theCA. It vouches for an individual, business, ororganizational identity.

Depending on the role of the CA, the certificate canattest to the authority of the bearer to conducte-business over the Internet. In a sense, a digitalcertificate performs a similar role to a driver’s licenseor a medical diploma. It certifies that the bearer of thecorresponding private key has authority to conductcertain e-business activities.

Glossary 57

A certificate contains information about the entity itcertifies, whether person, machine, or computerprogram. It includes the certified public key of thatentity.

digital certification. See certification.

digital signature. A coded message added to adocument or data that guarantees the identity of thesender.

A digital signature can provide a greater level ofsecurity than a physical signature. The reason for this isthat a digital signature is not an encrypted name orseries of simple identification codes. Instead, it is anencrypted summary of the message that is beingsigned. Thus, affixing a digital signature to a messageprovides solid identification of the sender. (Only thesender’s key can create the signature.) It also fixes thecontent of the message that is being signed (theencrypted message summary must match the messagecontent or the signature is not valid). Thus, a digitalsignature cannot be copied from one message andapplied to another because the summary, or hash,would not match. Any alterations to the signedmessage would also invalidate the signature.

Digital Signature Algorithm (DSA). A public keyalgorithm that is used as part of the Digital SignatureStandard. It cannot be used for encryption, only fordigital signatures.

Directory. A hierarchical structure intended as a globalrepository for information related to communications(such as e-mail or cryptographic exchanges). TheDirectory stores specific items that are essential to thePKI structure, including public keys, certificates, andcertificate revocation lists.

Data in the Directory is organized hierarchically in theform of a tree, with the root at the top of the tree.Often, higher level organizations represent individualcountries, governments, or companies. Users anddevices are typically represented as leaves of each tree.These users, organizations, localities, countries, anddevices each have their own entry. Each entry consistsof typed attributes. These provide information aboutthe object that the entry represents.

Each entry in the Directory is bound with an associateddistinguished name (DN). This is unique when theentry includes an attribute that is known to be uniqueto the real world object. Consider the followingexample DN. In it, the country (C) is US, theorganization (O) is IBM, the organizational unit (OU) isTrust, and the common name (CN) is CA1.

C=US/O=IBM/OU=Trust/CN=CA1

Directory server. In Trust Authority, the IBMSecureWay Directory. This Directory supports LDAPstandards and uses DB2 as its base.

Distinguished Encoding Rules (DER). Providesconstraints on the BER. DER selects just one type of

encoding from those that the encoding rules allow,eliminating all of the sender’s options.

distinguished name (DN). The unique name of a dataentry that is stored in the Directory. The DN uniquelyidentifies the position of an entry in the hierarchicalstructure of the Directory.

DL. Data Storage Library.

DN. Distinguished name.

document encrypting key (DEK). Typically, asymmetric encryption/decryption key, such as DES.

domain. See security domain and registration domain.

DSA. Digital Signature Algorithm.

Ee-business. Business transactions over networks andthrough computers. It includes buying and sellinggoods and services. It also includes transferring fundsthrough digital communications.

e-commerce. Business-to-business transactions. Itincludes buying and selling goods and services (withcustomers, suppliers, vendors, and others) on theInternet. It is a primary element of e-business.

end-entity. The subject of a certificate that is not a CA.

encrypt. To scramble information so that onlysomeone who has the appropriate decryption code canobtain the original information through decryption.

encryption/decryption. Using the public key of theintended recipient to encipher data for that person,who then uses the private key of the pair to decipherthe data.

enrollment. In Trust Authority, the process ofobtaining credentials for use over the Internet.Enrollment encompasses the requesting, renewing, andrevoking of certificates.

enrollment attribute. An enrollment variable that iscontained in an enrollment form. Its value reflects theinformation that is captured during the enrollment. Thevalue of the enrollment attribute remains the samethroughout the lifetime of the credential.

enrollment variable. See enrollment attribute.

extranet. A derivative of the Internet that uses similartechnology. Companies are beginning to apply Webpublishing, electronic commerce, message transmission,and groupware to multiple communities of customers,partners, and internal staff.


FFile Transfer Protocol (FTP). An Internet client/serverprotocol for use in transferring files betweencomputers.

firewall. A gateway between networks that restrictsthe flow of information between networks. Typically,the purpose of a firewall is to protect internal networksfrom unauthorized use from the outside.

FTP. File Transfer Protocol.

Ggateway. A functional unit that allows incompatiblenetworks or applications to communicate with eachother.

HHTML. Hypertext Markup Language.

HTTP. Hypertext Transaction Protocol.

HTTP server. A server that handles Web-basedcommunications with browsers and other programs ina network.

hypertext. Text that contains words, phrases, orgraphics that the reader can click with the mouse toretrieve and display another document. These words,phrases, or graphics are known as hyperlinks.Retrieving them is known as linking to them.

Hypertext Markup Language (HTML). A markuplanguage for coding Web pages. It is based on SGML.

Hypertext Transaction Protocol (HTTP). An Internetclient/server protocol for transferring hypertext filesacross the Web.

IICL. Issued certificate list.

IETF (Internet Engineering Task Force). A group thatfocuses on engineering and developing protocols forthe Internet. It represents an international communityof network designers, operators, vendors, andresearchers. The IETF is concerned with thedevelopment of the Internet architecture and thesmooth use of the Internet.

IniEditor. In Trust Authority, a tool used to editconfiguration files.

instance. In DB2, an instance is a logical databasemanagement environment for storing data and runningapplications. It allows definition of a common set ofconfiguration parameters for multiple databases.

integrity. A system protects the integrity of data if itprevents unauthorized modification (as opposed toprotecting the confidentiality of data, which preventsunauthorized disclosure).

integrity checking. The checking of audit records thatresult from transactions with external components.

internal structure. See schema.

International Standards Organization (ISO). Aninternational organization tasked with developing andpublishing standards for everything from wine glassesto computer network protocols.

International Telecommunication Union (ITU). Aninternational organization within which governmentsand the private sector coordinate globaltelecommunication networks and services. It is theleading publisher of telecommunication technology,regulatory, and standards information.

Internet. A worldwide collection of networks thatprovide electronic connection between computers. Thisenables them to communicate with each other viasoftware devices such as electronic mail or Webbrowsers. For example, some universities are on anetwork that in turn links with other similar networksto form the Internet.

intranet. A network within an enterprise that usuallyresides behind firewalls. It is a derivative of theInternet and uses similar technology. Technically,intranet is a mere extension of the Internet. HTML andHTTP are some of the commonalties.

IPSec. An Internet Protocol Security standard,developed by the IETF. IPSec is a network layerprotocol, designed to provide cryptographic securityservices that flexibly support combinations ofauthentication, integrity, access control, andconfidentiality. Because of its strong authenticationfeatures, it has been adopted by many VPN productvendors as the protocol for establishing securepoint-to-point connections over the Internet.

ISO. International Standards Organization.

issued certificate list (ICL). A complete list of thecertificates that have been issued and their currentstatus. Certificates are indexed by serial number andstate. This list is maintained by the CA and stored inthe CA database.

ITU. International Telecommunication Union.

JJava. A set of network-aware, non-platform-specificcomputer technologies developed by Sun Microsystems,Incorporated. The Java environment consists of the Java

Glossary 59

OS, the virtual machines for various platforms, theobject-oriented Java programming language, andseveral class libraries.

Java applet. See applet. Contrast with Java application.

Java application. A stand-alone program that iswritten in the Java language. It runs outside the contextof a Web browser.

Java class. A unit of Java program code.

Java language. A programming language, developedby Sun Microsystems, designed specifically for use inapplet and agent applications.

Java Virtual Machine (JVM). The part of the Javarun-time environment responsible for interpretingbytecodes.

Kkey. A quantity used in cryptography to encipher ordecipher information.

key pair. Corresponding keys that are used inasymmetric cryptography. One key is used to encryptand the other to decrypt.

KeyStore. A DL for storing Trust Authoritycomponent credentials, such as keys and certificates, inan encrypted format.

LLDAP. Lightweight Directory Access Protocol.

Lightweight Directory Access Protocol (LDAP ). Aprotocol used to access the Directory.

MMAC. Message authentication code.

MD2. A 128-bit message-digest hash function,designed by Ron Rivest. It is used with MD5 in thePEM protocols.

MD4. A 128-bit message-digest hash function,designed by Ron Rivest. It is several times faster thanMD2.

MD5. A one-way message-digest hash function,designed by Ron Rivest. It is an improved version ofMD4. MD5 processes input text in 512-bit blocks,divided into 16 32-bit sub-blocks. The output of thealgorithm is a set of four 32-bit blocks, whichconcatenate to form a single 128-bit hash value. It isalso used along with MD2 in the PEM protocols.

message authentication code (MAC). A secret keythat is shared between the sender and the recipient.

The sender authenticates, and the recipient verifies. InTrust Authority, MAC keys are stored in the KeyStoresfor the CA and Auditing components.

message digest. An irreversible function that takes anarbitrary-sized message and produces a fixed lengthquantity. MD5 is an example of a message digestalgorithm.

MIME (Multipurpose Internet Mail Extensions). Afreely available set of specifications that allows theinterchange of text in languages with different charactersets. it also allows multimedia e-mail among manydifferent computer systems that use Internet mailstandards. For example, the e-mail messages maycontain character sets other than US-ASCII, enrichedtext, images, and sounds.

modulus. In the RSA public key cryptographic system,the product (n) of two large primes: p and q. The bestsize for an RSA modulus depends on one’s securityneeds. The larger the modulus, the greater the security.The current RSA Laboratories–recommended key sizesdepend on the planned use for the key: 768 bits forpersonal use, 1024 bits for corporate use, and 2048 bitsfor extremely valuable keys like the key pair of a CA.A 768-bit key is expected to be secure until at least theyear 2004.

NNational Language Support (NLS). Support within aproduct for differences in locales, including language,currency, date and time format, and numericpresentation.

National Security Agency (NSA). The official securitybody of the U.S. government.

NIST. National Institute of Standards and Technology,formerly known as NBS (National Bureau ofStandards). It promotes open standards andinteroperability in computer-based industries.

NLS. National language support.

nonce. A string that is sent down from a server orapplication, requesting user authorization. The userthat is asked for authentication signs the nonce with aprivate key. The user’s public key and the signed nonceare sent back to the server or application that requestedauthentication. The server then attempts to decipherthe signed nonce with the user’s public key. If thedeciphered nonce is the same as the original nonce thatwas sent, the user is authenticated.

non-repudiation. The use of a digital private key toprevent the signer of a document from falsely denyinghaving signed it.

NSA. National Security Agency.


Oobject. In object-oriented design or programming, anabstraction encapsulating data and the operationsassociated with that data. See also class.

object identifier (OID). An administratively assigneddata value of the type defined in abstract syntaxnotation 1 (ASN.1).

object type. The kind of object that can be stored inthe Directory. For example, an organization, meetingroom, device, person, program, or process.

ODBC. Open Database Connectivity.

Open Database Connectivity (ODBC). A standard foraccessing different database systems.

Open Systems Interconnect (OSI). The name of thecomputer networking standards that the ISO approved.

OSI. Open Systems Interconnect.

PPC card. Similar to a smart card, and sometimes calleda PCMCIA card. This card is somewhat larger than asmart card and usually has a greater capacity.

PEM. Privacy-enhanced mail.

PKCS. Public Key Cryptography Standards.

PKCS #1. See Public Key Cryptography Standards.





PKI. Public key infrastructure.

PKIX. An X.509v3-based PKI.

PKIX certificate management protocol (CMP). Aprotocol that enables connections with PKIX-compliantapplications. PKIX CMP uses TCP/IP as its primarytransport mechanism, but an abstraction layer oversockets exists. This enables support for additionalpolling transports.

PKIX CMP. PKIX certificate management protocol.

PKIX listener. The public HTTP server that aparticular registration domain uses to listen for requestsfrom the Trust Authority Client application.

plaintext. Unencrypted data. Synonym for cleartext.

policy exit. In a registration facility, anorganization-defined program that is called by theregistration application. The rules specified in a policyexit apply the organization’s business and securitypreferences to the enrollment process.

preregistration. In Trust Authority, a process thatallows one user, typically an administrator, to enrollother users. If the request is approved, the RA providesinformation that allows the user to obtain the certificateat a later time using the Trust Authority Clientapplication.

privacy. Protection from the unauthorized disclosureof data.

privacy-enhanced mail (PEM). The Internetprivacy-enhanced mail standard, that the InternetArchitect Board (IAB) adopted to provide secureelectronic mail over the Internet. The PEM protocolsprovide for encryption, authentication, messageintegrity, and key management.

private key. The key in a public/private key pair thatis available only to its owner. It enables the owner toreceive a private transaction or make a digitalsignature. Data signed with a private key can beverified only with the corresponding public key.Contrast with public key. See also public/private keypair.

protocol. An agreed-on convention for inter-computercommunication.

proxy server. An intermediary between the computerthat is requesting access (computer A) and thecomputer that is being accessed (computer B). Thus, ifan end user makes a request for a resource fromcomputer A, this request is directed to a proxy server.The proxy server makes the request, gets the responsefrom computer B, and then forwards the response tothe end user. Proxy servers are useful for accessingWorld Wide Web resources from inside a firewall.

public key. The key in a public/private key pair thatis made available to others. It enables them to direct atransaction to the owner of the key or verify a digitalsignature. Data encrypted with the public key can bedecrypted only with the corresponding private key.Contrast with private key. See also public/private keypair.

Public Key Cryptography Standards (PKCS).Informal inter-vendor standards developed in 1991 byRSA Laboratories with representatives from variouscomputer vendors. These standards cover RSAencryption, the Diffie-Hellman agreement,password-based encryption, extended-certificate syntax,cryptographic message syntax, private-key informationsyntax, and certification syntax.

Glossary 61

v PKCS #1 describes a method for encrypting data byusing the RSA public key cryptosystem. Its intendeduse is in the construction of digital signatures anddigital envelopes.

v PKCS #7 specifies a general format for cryptographicmessages.

v PKCS #10 specifies a standard syntax for certificationrequests.

v PKCS #11 defines a technology-independentprogramming interface for cryptographic devicessuch as smart cards.

v PKCS #12 specifies a portable format for storing ortransporting a user’s private keys, certificates,miscellaneous secrets, and so forth.

public key infrastructure (PKI). A standard forsecurity software that is based on public keycryptography. The PKI is a system of digital certificates,certificate authorities, registration authorities, certificatemanagement services, and distributed directoryservices. It is used to verify the identity and authorityof each party involved in any transaction over theInternet. These transactions might involve operationswhere identity verification is required. For example,they might confirm the origin of proposal bids, authorsof e-mail messages, or financial transactions.

The PKI achieves this by making the public encryptionkeys and certificates of users available forauthentication by a valid individual or organization. Itprovides online directories that contain the publicencryption keys and certificates that are used inverifying digital certificates, credentials, and digitalsignatures.

The PKI provides a means for swift and efficientresponses to verification queries and requests for publicencryption keys. It also identifies potential securitythreats to the system and maintains resources to dealwith security breaches. Lastly, the PKI provides adigital timestamping service for important businesstransactions.

public/private key pair. A public/private key pair ispart of the concept of key pair cryptography(introduced in 1976 by Diffie and Hellman to solve thekey management problem). In their concept, eachperson obtains a pair of keys, one called the public keyand the other called the private key. Each person’spublic key is made public while the private key is keptsecret. The sender and receiver do not need to sharesecret information: all communications involve onlypublic keys, and no private key is ever transmitted orshared. It is no longer necessary to trust somecommunications channel to be secure againsteavesdropping or betrayal. The only requirement is thatpublic keys must be associated with their users in atrusted (authenticated) manner (for instance, in atrusted directory). Anyone can send a confidentialmessage by using public information. However, themessage can be decrypted only with a private key,which is in the sole possession of the intended

recipient. Furthermore, key pair cryptography can beused not only for privacy (encryption), but also forauthentication (digital signatures).

RRA. Registration authority.

RA Desktop. A Java applet that provides RAs with agraphical interface for processing requests forcredentials and administering them throughout theirlifetime.

RA server. The server for the Trust AuthorityRegistration Authority component.

RC2. A variable key-size block cipher, designed byRon Rivest for RSA Data Security. RC stands for Ron’sCode or Rivest’s Cipher. It is faster than DES and isdesigned as a drop-in replacement for DES. It can bemade more secure or less secure against exhaustive keysearch than DES by using appropriate key sizes. It hasa block size of 64 bits and is about two to three timesfaster than DES in software. RC2 can be used in thesame modes as DES.

An agreement between the Software PublishersAssociation (SPA) and the United States governmentgives RC2 special status. This makes the exportapproval process simpler and quicker than the usualcryptographic export process. However, to qualify forquick export approval a product must limit the RC2key size to 40 bits with some exceptions. An additionalstring can be used to thwart attackers who try toprecompute a large look-up table of possibleencryptions.

registrar. A user who has been authorized to accessthe RA Desktop, to administer certificates and requestsfor certificates.

registration authority (RA). The software thatadministers digital certificates to ensure that anorganization’s business policies are applied from theinitial receipt of an enrollment request throughcertificate revocation.

registration database. Contains information aboutcertificate requests and issued certificates. The databasestores enrollment data and all changes to the certificatedata throughout its life cycle. The database can beupdated by RA processes and policy exits, or byregistrars.

registration domain. A set of resources, policies, andconfiguration options related to specific certificateregistration processes. The domain name is a subset ofthe URL that is used to run the registration facility.

registration facility. A Trust Authority applicationframework that provides specialized means of enrolling


entities (such as browsers, routers, e-mail, and secureclient applications) and managing certificatesthroughout their life cycle.

registration process. In Trust Authority, the steps forvalidating a user, so that the user and the user’s publickey can become certified and participate intransactions. This process can be local or Web-based,and can be automated or administered by humaninteraction.

repudiate. To reject as untrue; for example, to denythat you sent a specific message or submitted a specificrequest.

request ID. A 24- to 32-character ASCII value thatuniquely identifies a certificate request to the RA. Thisvalue can be used on the certificate request transactionto retrieve the status of the request or the certificatethat is associated with it.

RSA. A public key cryptographic algorithm that isnamed for its inventors (Rivest, Shamir, and Adelman).It is used for encryption and digital signatures.

Sschema. As relates to the Directory, the internalstructure that defines the relationships betweendifferent object types.

Secure Electronic Transaction (SET). An industrystandard that facilitates secure credit card or debit cardpayment over untrusted networks. The standardincorporates authentication of cardholders, merchants,and card-issuing banks because it calls for the issuanceof certificates.

Secure Sockets Layer (SSL ). An IETF standardcommunications protocol with built-in security servicesthat are as transparent as possible to the end user. Itprovides a digitally secure communications channel.

An SSL-capable server usually accepts SSL connectionrequests on a different port than requests for standardHTTP requests. SSL creates a session during which theexchange signals to set up communications betweentwo modems need to occur only once. After that,communication is encrypted. Message integritychecking continues until the SSL session expires.

security domain. A group (a company, work group orteam, educational or governmental) whose certificateshave been certified by the same CA. Users withcertificates that are signed by a CA can trust theidentity of another user that has a certificate signed bythe same CA.

server. (1) In a network, a data station that providesfunctions to other stations; for example, a file server. (2)In TCP/IP, a system in a network that handles therequests of a system at another site, called aclient/server.

server certificate. A digital certificate, issued by a CAto enable a Web server to conduct SSL-basedtransactions. When a browser connects to the server byusing the SSL protocol, the server sends the browser itspublic key. This enables authentication of the identityof the server. It also enables encrypted information tobe sent to the server. See also CA certificate, digitalcertificate, and browser certificate.

servlet. A server-side program that gives Java-enabledservers additional functionality.

SET. Secure Electronic Transaction.

SGML. Standard Generalized Markup Language.

SHA-1 (Secure Hash Algorithm). An algorithm thatwas designed by NIST and NSA for use with theDigital Signature Standard. The standard is the SecureHash Standard; SHA is the algorithm that the standarduses. SHA produces a 160-bit hash.

sign. To use your private key to generate a signature.The signature is a means of proving that you areresponsible for and approve of the message you aresigning.

signing/verifying. To sign is to use a private digitalkey to generate a signature. To verify is to use thecorresponding public key to verify the signature.

Simple Mail Transfer Protocol (SMTP). A protocolthat transfers electronic mail over the Internet.

site certificate. Similar to a CA certificate, but validonly for a specific Web site. See also CA certificate.

smart card. A piece of hardware, typically the size of acredit card, for storing a user’s digital keys. A smartcard can be password-protected.

S/MIME. A standard that supports the signing andencryption of e-mail transmitted across the Internet. SeeMIME.

SMTP. Simple Mail Transfer Protocol.

SSL. Secure Sockets Layer.

Standard Generalized Markup Language (SGML). Astandard for describing markup languages. HTML isbased on SGML.

symmetric cryptography. Cryptography that uses thesame key for both encryption and decryption. Itssecurity rests in the key — revealing the key meansthat anyone could encipher and decipher messages. Thecommunication remains secret only as long as the keyremains secret. Contrast with asymmetric cryptography.

symmetric key. A key that can be used for bothencryption and decryption. See also symmetriccryptography.

Glossary 63

Ttarget. A designated or selected data source.

TCP/IP. Transmission Control Protocol/InternetProtocol.

top CA. The CA at the top of a PKI CA hierarchy.

TP. Trust Policy.

transaction ID. An identifier provided by the RA inresponse to a preregistration enrollment request. Itenables a user running the Trust Authority Clientapplication to obtain the pre-approved certificate.

Transmission Control Protocol/Internet Protocol(TCP/IP ). A set of communication protocols thatsupport peer-to-peer connectivity functions for localand wide area networks.

triple DES. A symmetric algorithm that encrypts theplaintext three times. Although many ways exist to dothis, the most secure form of multiple encryption istriple-DES with three distinct keys.

Trust Authority. An integrated IBM SecureWaysecurity solution that supports the issuance, renewal,and revocation of digital certificates. These certificatescan be used in a wide range of Internet applications,providing a means to authenticate users and ensuretrusted communications.

trust domain. A set of entities whose certificates havebeen certified by the same CA.

trusted computer base (TCB). The software andhardware elements that collectively enforce anorganization’s computer security policy. Any element orpart of an element that can effect security policyenforcement is security-relevant and part of the TCB.The TCB is an object that is bounded by the securityperimeter. The mechanisms that carry out the securitypolicy must be non-circumventable, and must preventprograms from gaining access to system privileges towhich they are not authorized.

trust model. A structuring convention that governshow certificate authorities certify other certificateauthorities.

tunnel. In VPN technology, an on-demand virtualpoint-to-point connection made through the Internet.While connected, remote users can use the tunnel toexchange secure, encrypted, and encapsulatedinformation with servers on the corporate privatenetwork.

type. See object type.

UUnicode. A 16-bit character set that is defined by ISO10646. The Unicode character encoding standard is aninternational character code for information processing.The Unicode standard encompasses the principalscripts of the world and provides the foundation forthe internationalization and localization of software. Allsource code in the Java programming environment iswritten in Unicode.

Uniform Resource Locator (URL). A scheme foraddressing resources on the Internet. The URL specifiesthe protocol, host name or IP address. It also includesthe port number, path, and resource details needed toaccess a resource from a particular machine.

URL. Uniform Resource Locator.

user authentication. The process of validating that theoriginator of a message is the identifiable andlegitimate owner of the message. It also validates thatyou are communicating with the end user or systemyou expected to.

UTF-8. A transformation format. It enablesinformation processing systems that handle only 8-bitcharacter sets to convert 16-bit Unicode to an 8-bitequivalent and back again without loss of information.

VVirtual Private Network (VPN). A private datanetwork that uses the Internet rather than phone linesto establish remote connections. Because users accesscorporate network resources through an InternetService Provider (ISP) rather than a telephone company,organizations can significantly reduce remote accesscosts. A VPN also enhances the security of dataexchanges. In traditional firewall technology, messagecontent can be encrypted, but the source anddestination addresses are not. In VPN technology, userscan establish a tunnel connection in which the entireinformation packet (content and header) is encryptedand encapsulated.

VPN. Virtual Private Network.

WWeb browser. Client software that runs on a desktopPC and enables the user to browse the World WideWeb or local HTML pages. It is a retrieval tool thatprovides universal access to the large collection ofhypermedia material available in the Web and Internet.Some browsers can display text and graphics, and somecan display only text. Most browsers can handle themajor forms of Internet communication, such as FTPtransactions.


Web server. A server program that responds torequests for information resources from browserprograms. See also server.

WebSphere Application Server. An IBM product thathelps users develop and manage high-performanceWeb sites. It eases the transition from simple Webpublishing to advanced e-business Web applications.The WebSphere Application Server consists of aJava-based servlet engine that is independent of boththe Web server and its underlying operating system.

World Wide Web (WWW). That part of the Internetwhere a network of connections is established betweencomputers that contain hypermedia materials. Thesematerials provide information and can provide links toother materials in the WWW and Internet. WWWresources are accessed through a Web browserprogram.

XX.500. A standard for putting into effect amultipurpose, distributed and replicated directoryservice by interconnecting computer systems. Jointlydefined by the International Telecommunications Union(ITU), formerly known as CCITT, and the InternationalOrganization for Standardization and InternationalElectro-Chemical Commission (ISO/IEC).

X.509 certificate. A widely-accepted certificatestandard designed to support secure management anddistribution of digitally signed certificates across secureInternet networks. The X.509 certificate defines datastructures that accommodate procedures fordistributing public keys that are digitally signed bytrusted third parties.

X.509 Version 3 certificate. The X.509v3 certificate hasextended data structures for storing and retrievingcertificate application information, certificatedistribution information, certificate revocationinformation, policy information, and digital signatures.

X.509v3 processes create time-stamped CRLs for allcertificates. Each time a certificate is used, X.509v3capabilities allow the application to check the validityof the certificate. It also allows the application todetermine whether the certificate is on the CRL.X.509v3 CRLs can be constructed for a specific validityperiod. They can also be based on other circumstancesthat might invalidate a certificate. For example, if anemployee leaves an organization, their certificate wouldbe put on the CRL.

Glossary 65


Index

Numerics4758 coprocessor

described 35enabling for the CA 39RSA key size 39storing keys in 35storing the CA key 39

Aaccessibility options 46add_rauser utility 21apply configuration values 45attributes, DN

example 14sequence 14

Audit serverdescribed 29host name 38port number 38

AuditArchiveAndSign tool 29AuditIntegrityCheck tool 29authorizing registrars 21

Bbacking up the system 21browser requirements 5, 47

CCA key

algorithm 39size 39storing in hardware 35, 39

CA server4758 coprocessor option 39described 30distinguished name 38host name 38key size 39port number 38signature algorithm 39

certificate management protocol(CMP) 32

certificate requests, submitting 18certificate revocation list (CRL) 30CfgSetupWizard.html file 9CfgStart program

on AIX 10on NT 11on remote machines 13

cfguser username 9, 38Change Password utility 20Client application

described 32PKIX requests 32server port for 44

collecting configuration data 6common name, in DN 15

configuration data4758 coprocessor 39applying 45Audit server name 38Audit server port 38CA DN 38CA key 39CA server name 38CA server port 38Client application 44client authentication options 44Client requests 44Directory administrator 42Directory root 41Directory server name 40Directory server port 40form for recording options 7importing 12, 37migrating 37public Web server 43registration domain 42saving 45secure Web servers 44startup options 37summary 45Trust Authority password 38verifying 18

configuration data form 7configuration files, editing 21configuration process 45configuration user 9, 38configuring

remote servers 13status information 45Trust Authority database 45workstations 5

country, in DN 16Credential Central 18customizing registration domains 22

DDB2, described 30Directory administrator

described 32DN 42password 42

Directory schema 31Directory server

described 31Directory administrator 42host name 40ownership permissions 20port number 40root DN 41

Directory tree 31DN editor

attribute sequence 16CA DN 38described 15Directory administrator DN 42Directory root DN 41

DN editor (continued)format type 16general information 15icon 38, 41, 42keyboard controls 46location information 16organization information 16using 15

DN flexibility 22DNs

Certificate Authority 38common name 15country name 16Directory administrator 42Directory root 41Directory schema 31Directory tree 31example 14locality 16non-English 47organization name 16organizational unit 16rules for typing 14state or province 16street address 16using the DN Editor 15

downloading swingall.jar 9

Eediting configuration files 21editing DNs 15encryption keys, for the CA 39enrollment 18

FFinish button 45form for configuration data 7

Hhelp for the Setup Wizard 9, 10host names

CA and Audit server 38Directory server 40public Web server 43secure Web servers 44Trust Authority server 37

IIBM HTTP Server 34, 43, 44importing configuration data 12, 37IniEditor program 21IP addresses

CA and Audit server 38Directory server 40public Web server 43secure Web server 44


IP addresses (continued)Trust Authority server 37

issued certificate list (ICL) 30

Kkeyboard controls 46

LLDAP standard 31locality, in DN 16log messages 17

MMAC (message authentication code)

in Audit processing 29in CA processing 30

machine requirements 5masking audit events 29messages, viewing 17, 45migrating configuration data 37Modifying ACLs 22mouse alternatives 46

Ooperating systems, supported 5organization name, in DN 16organizational unit, in DN 16

Ppasswords

changing 20Directory administrator 42root DN 41Trust Authority server 38

permissions, slapd.conf 20PKIX certificates

described 32port for processing 44

portsCA and Audit server 38Client application 44client-authentication 44Directory server 40public Web server 43secure Web servers 44

product overview 1production system, preparing for 19

RReadme file 3reconfiguring the system 23registrars, authorizing 21registration domains

customizing 22described 33installation directory 42language 42name 42non-English 47

remote configuration 13renaming the Setup Wizard 20root DN

described 32name 41password 41

RSA key 39

Ssaving configuration data 45securing the Setup Wizard 20servers

Audit 38CA 38Directory 40IBM HTTP 43, 44public 43RA 44secure 44Trust Authority 37uninstalling from AIX 24uninstalling from Windows NT 27

Setup Wizardaccessibility options 46configuration process 45exiting 37help for 9, 10installation location 20keyboard controls 46preparing to run 5securing 20starting 9, 37Web browser setup 5

sha–1WithRSAEncryption 39slapd.conf file 20smart cards 32SSL

described 33in Trust Authority 34secure Web servers 44

starting the Setup Wizard 9startup options 37state or province, in DN 16storing CA keys in hardware 39street address, in DN 16submitting certificate requests 18Swing library 5swingall.jar file 9system requirements 5

TTrust Authority configuration user 9, 38Trust Authority Web site 3typing DNs 14

Uuninstalling

server components from AIX 24server components from NT 27

URLsfor Credential Central 18for Readme file 3for registration domains 33for Setup Wizard 9

URLs (continued)for Trust Authority 3

Vverifying the configuration 18View Advanced Messages button 45viewing

configuration messages 17, 45configuration status 45

WWeb servers

in Trust Authority 34public server name 43public server port 43secure server names 44secure server ports 44

Web site, Trust Authority 3workstation requirements 5


��

Program Number: 5648-D09

Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.

SH09-4529-01

Documents

Configuration Guide - IBMpublib.boulder.ibm.com/tividd/td/IBM_TA/SH09-4529... · Configuration Guide Version 3 Release 1.2 ... v Policy exits enable application developers to customize