CertAgent. Administrator Guide

Transcription

1 CertAgent Administrator Guide Version August 3, 2016

2 Information in this document is subject to change without notice and does not represent a commitment on the part of Information Security Corporation. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of the agreement. No part of this manual may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose other than the purchaser s personal use without the prior written permission of Information Security Corp. CertAgent is commercial computer software and, together with any related documentation, is subject to the restrictions on U.S. Government use as set forth below. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software Clause at DFARS Contractor/manufacturer is Information Security Corporation, 1011 Lake Street, Suite 425, Oak Park, IL 6030 The U.S. International Traffic in Arms Regulations (ITARs) (22 CFR ) prohibits the dissemination of certain types of technical data to foreign nationals. Protected by U.S. Patent No. 5,699,43 CertAgent is a trademark of Information Security Corp. Other product and company names mentioned in this document may be the trademarks of their respective owners. The cryptographic functionality of CertAgent is provided by CDK 7.0, ISC s FIPS validated cryptographic module, via a Java JNI and/or an RMI interface. In addition, CertAgent uses code extracted or derived from the following open source software packages redistributable under the terms of the GPL: Log4j, Version 16: Copyright The Apache Software Foundation. All rights reserved. jquery, Version 10: Copyright The jquery Foundation, Inc. JSON-RPC, Version 0: Copyright by the JSON-RPC Working Group CertAgent Administrator Guide, Version (August 2016) Information Security Corporation. All rights reserved. Information Security Corporation 1011 W. Lake Street, Suite 425 Oak Park, IL Phone: Fax: Website: sales@infoseccorp.com 2

3 Table of Contents 1 Introduction CertAgent Architecture About this Guide Technical Support Site Administration Overview Access Control and Permissions Logging in as Site Administrator Importing Credentials into Browsers Logging in Managing System Credentials Configuring Database Settings Managing the Local Administrator Access Control List Managing the NIAP Conformance Options Data Integrity User Authentication Certificates LDAP Configuration Access Banner Managing the Server Administration Access Control List Managing CA Accounts Creating a New CA Account Managing an Existing CA account Managing Jobs Configuring Settings Managing the Audit Trail Audit Table Format and Description Searching the Audit Trail Managing Auditable Events Using Help Logging Out Certificate Authorities Logging in to a CA account Public Site Viewing the Public Site

4 1 Introduction CertAgent is an X.509-compliant certificate authority (CA). It is an easily managed, web-based certificate authority (CA) intended to be used as the core component of an enterprise public key infrastructure (PKI). Designed to meet the needs of a wide variety of organizations, the current release offers enhanced enrollment services (EST), remote administration, integrated certificate and CRL databases, and an OCSP responder. It supports an unlimited number of root and intermediate CAs, providing support for as complex a certificate hierarchy as the size of your enterprise warrants. 1 CertAgent Architecture The following diagram illustrates the basic layout of the CertAgent system. HSM Database External LDAP Repository (optional) CertAgent ISC CDK (FIPS 140-2) JNI CertAgent Server RMI CACLI Report Generator Administration Web App Java Servlet/JSP Container Public Web App PIN Entry Interface Admin Site CA Account Site RA Management Interface DBAccess Interface Public Site OCSP Responder EST Web App TLS TLS w/ client auth. (ACL) TLS TLS basic/client auth. Local admin Local admin from localhost or authorized IP address Authorized Admin RA Audit Server or Certificate Query Users OCSP Client EST Client The CertAgent 7 System Architecture 4

5 2 About this Guide This Administrator s Guide provides information that will assist you in effectively using the Admin side of a CertAgent website as the system administrator. Described in detail are all tasks assigned to the system administrator role, including entering the system PIN upon start-up, managing system credentials, creating and configuring CA accounts, managing access control list and jobs, and viewing the audit trail. The role played by certificate authorities (uses of both master CA accounts and profiles) is described in detail in the separate CertAgent Certificate Authority Guide. 3 Technical Support Information Security Corporation provides technical support for CertAgent during normal business working days, Monday through Friday, 8:00 a.m. to 4:30 p.m. Central Standard Time. Phone: (708) Fax: (708) Web: techsupport@infoseccorp.com 5

6 2 Site Administration 1 Overview The Admin pages of the CertAgent website are secured using SSL with client authentication. When you attempt to access these pages using your web browser, your identity will be verified by the web server using strong X.509 certificate-based authentication and all command processes and data transfers between your computer and web server will be encrypted. 2 Access Control and Permissions The CertAgent system administrative webpages support the following roles and responsibilities: Role Permission Responsibility administrator administrator local admin admin auditor audit view and export audit trails inject HSM PIN, manage system credentials, database configuration settings, and ACLs on the current host and servers, and NIAP configuration manage CA accounts, trust anchor database, CRL store for path validations, NIAP configuration, jobs, settings, run integrity tests, and configure audit trails 3 Logging in as Site Administrator An initial (temporary) administrator certificate (<ca home>/keystore/ca-admin.der) and auditor certificate (<ca home>/keystore/ca-auditor.der) are automatically added to the administrator ACL, with admin and audit permissions respectively, during installation. You should import these temporary credentials (<ca home>/keystore/ca-admin.p12 and ca-auditor.p12 with password <p12 pass>) into your web browser s certificate store in order to gain access to the Admin site. 1 Importing Credentials into Browsers If you have selected the AES-256 option to encrypt your private key during the installation, the PKCS#12 files generated by the installer can only be imported to compatible browsers (e.g., Internet Explorer on Windows 11). If your browser doesn t support the AES-256 format, you can use the following OpenSSL commands to create a new PKCS#12 that uses DES3 to encrypt the private key. 6

7 openssl pkcs12 -in ca-admin.p12 -out ca-admin.pem openssl pkcs12 -export -in ca-admin.pem -out ca-admin-desp12 1 Firefox To import the administrator s credentials into Firefox 45 ESR: Select the Menu button. Select Preferences on UNIX or Options on Windows. From the left-side menu, select Advanced. Select the Certificates tab and click View Certificates. In the Certificate Manage dialog, select the Your Certificates tab and click Import. Browse to the PKCS#12 file (e.g., <ca home>/keystore/ca-admin.der) and click Open. Enter the password that was used to encrypt the private key and click OK. Firefox will alert you when the certificate has been installed successfully. Select the Authorities tab, select the root certificate (e.g., CertAgent Root CA) which listed under the organization you have entered during the installation. Click Edit Trust, click all three checkboxes in the Edit CA certificate trust settings dialog and click OK. Click OK to close the Certificate Manage dialog. 2 Internet Explorer To import the administrator s credentials into Internet Explorer 11: 4. Select the Tools, Internet Options from the menu bar. Select the Content tab and click Certificates. Select the Personal tab and click Import. In the Certificate Import Wizard: a. Click Next. b. Click Browse.., locate the PKCS#12 file (e.g., <ca home>/keystore/ca-admin.der) and click Open. c. Click Next, enter the password that was used to encrypt the private key and click Next. 7

8 d. Select Automatically select the certificate store based on the type of certificate option, browse the store to Personal and click Next. Then, click Finish. e. When the Security Warning dialog appears with the Root CA information (e.g., CertAgent Root CA), click Yes to trust this certificate. f. It will alert you when the certificate has been installed successfully. 2 Logging in Launch Internet Explorer and enter the following URL in its address bar: port>/certagentadmin/admin/login.jsp Be sure to replace <host> and <admin port> with the appropriate system name (or IP address) and SSL port of your CertAgent webserver. Select your certificate in the Windows Security dialog to authenticate yourself to the webserver, and then click OK. NOTE: If your certificate does not appear in the Windows Security dialog, make sure that the appropriate administrative credentials have been imported into the Internet Explorer Personal certificates store and the trust anchor (root certificate) for your certificate has been imported into the trust store of your servlet container. 4. If access banner is enabled from the Admin site, a page with advisory notice and consent warning message will appear. Click the Login button to continue. Once you have successfully logged in, the following Welcome page will appear: 8

9 Depending on the permissions of an authorized user, the set of pages and tasks available are appropriately limited. 4 Managing System Credentials 1 CertAgent has a set of system credentials that is used to protect all CA HSM PINs and passwords used in the various configurations settings. To view the system credentials, click the Local System, Credentials item in the left-hand action menu. To update the system credentials: Click Update. Select Use default to use the existing HSM access settings. Otherwise, select Use custom and specify the required HSM access information. To view the slots and labels available on your HSM, enter the path of the vendor-provided access library and click View Slots/Labels. To generate a new key pair: a. Select Generate a new key pair and click Next. 1 Requires the local admin permission. 9

10 b. Enter the RDNs and change the key type and size, message digest and validity period, if needed. c. Click Next and then OK at the confirmation prompt to confirm your intentions. 4. To select an existing key pair: a. Select Use an existing key pair and click Next to see a list of all encrypt-capable credentials on the specified HSM. b. Select the system certificate you wish to use. (To view detailed information about any of the available certificates, click its DN.) c. Click Next and then OK at the confirmation prompt to confirm your intentions. NOTE: Each cloned CertAgent system in a high-availability cluster must be configured to use the same system credentials. To change the system credentials in a cluster, an authorized administrator must successively log in to each of the clones in the cluster using their individual IP addresses and update their system credentials manually. 5 Configuring Database Settings 2 The current release of CertAgent uses an auxiliary Oracle, PostgreSQL, or HyperSQL database for the storage of its credentials, account configurations, certificates, certificate requests, access control lists, and audit trails. Consequently, a compatible JDBC driver or Instant Client must be separately licensed by the customer and installed on the CertAgent host; they are not included in the standard CCMS software distribution package. Database has already been configured during the installation. To update CertAgent to use different database configuration: Click the Local System, Database item in the left-hand action menu. Click the icon. Select the desired database form the Vendor drop-down. For Oracle database: If your database supports OCI, a SQL*Net configuration file may be used to define the addresses of database connections. Below is a sample tnsnames.ora file that must be located in the <ORACLE_HOME>/network/admin directory. RACDB = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = cl6cluster-scan)(port = 1521)) 2 Requires the local admin permission. 10

11 (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = racdb.infoseccorp.com) (FAILOVER_MODE =(TYPE=select)(METHOD=basic)) ) ) Specify jdbc:oracle:oci:@racdb in the URL field. Alternatively, include the above configuration in the URL: jdbc:oracle:oci:@(description=(address=(protocol=tcp) (HOST=cl6cluster-scan)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED) (SERVICE_NAME=racdb.infoseccorp.com)(FAILOVER_MODE=(TYPE=select) (METHOD=basic)))) If your database does not support OCI, use the following URL to establish a connection using the thin driver: jdbc:oracle:thin:@//<host>:<port>/<service name> For PostgreSQL database, use the following URL to establish a connection: jdbc:postgresql://<host>:<port>/<database> For HyperSQL database, use the following URL to establish a connection: jdbc:hsqldb:hsql://<host>[:<port>][/<alias>] Select New in the Instance option if this is the first CertAgent instance connecting to the specified database service. Enter the database user name and password created by the DBA. For details on account creation and requirement, see the section entitled Configuring Database in the CertAgent Certificate Authority Guide (ca_install.pdf). Change the connection pool setting if needed. CertAgent uses a connection pool for database communications. By default, five connections are created upon pool initialization and a maximum of twenty connections can be cached. A connection timeout value of 20 seconds is set to allow CertAgent to wait for an available connection in the pool before terminating a request. A connection in the pool is automatically closed once it has been idle for seven hours. 7. Click Update to save your changes. 11

12 6 Managing the Local Administrator Access Control List 3 To manage the admin ACL of the current host: Click Local System, Access Control. It lists the current users who are authorized to access the administrative pages and manage the local system. To add a certificate to the access control list, click Add. Then upload the certificate by clicking Browse, locating the appropriate certificate file, and clicking Upload. Confirmation message will be displayed. To inspect a certificate, click on the desired certificate DN. A popup dialog with certificate information will be displayed. Click Close to close the dialog. To remove one or more certificates from the access control list, check the box before the certificates you wish to delete and click Remove. Click OK in the confirmation dialog to remove the selected certificate from the Admin access control list. 7 Managing the NIAP Conformance Options 4 To manage the NIAP conformance options: Click Servers, NIAP Conformance. The following page will appear: 3 Requires the local admin permission. 4 Requires the local admin or admin permission. 12

13 To make CertAgent conform to the NIAP requirements, all the options on this page must be checked. The following sections describe each option in detail. 7.1 Data Integrity An error detection code (EDC) is applied to the Trust Anchor database, Certificate database, and ACL database. The EDC used is a 64 bit cyclic redundancy check (CRC). Integrity can be verified at power-up (after system PIN has been entered to enable access to the database) and on-demand by an Admin Site Administrator. The integrity of ACL databases is verified before displaying the ACL or allowing the ACL to be modified. Multiple CRC values are maintained: Covered Item Trust anchor table ACL table Certificate tables CRC A single CRC covers the trust anchor table A single CRC covers the ACL table Each certificate table has multiple CRC values. Each CRC value covers 100 rows of data in that table In case of any integrity failure occurring, CertAgent will record the error in the audit trail, and local debug text file, destroy any sensitive data, and shut down the CertAgent service. 13

14 A local administrator must restart CertAgent with the system property set to: isc.ca.niap.disable=true which will disable the integrity tests along with other NIAP options. They will then need to: For the trust anchor and ACL databases, all certificates should be removed and reimported to the database. For the certificate database, the affected certificate database should be recovered from a backup and any certificates issued since the last backup must be imported into CertAgent. 7.1 Updating the Settings To update the Data Integrity settings: Click the icon in the Data Integrity section. Update the settings as desired and click Update. Available options are: Enable database integrity on the Trust Anchor database Enable database integrity on the ACL database Enable database integrity on the CA account s Certificate database Run integrity tests on server startup NOTE: If an integrity setting is changed from disabled to enabled, the checksum of the associated table will be recomputed automatically. You will be prompted to confirm your intention. Click OK to continue. The result will be displayed. 7.2 Running Integrity Test on Demand To run the integrity test: Click the Run Integrity Test link associated with the database setting. For Trust Anchor and ACL databases, click OK at the confirmation prompt to confirm your intentions. For Certificate database, select the desired CA account name, and click Run. The result will be displayed. 14

15 7.3 Resetting Checksum To reset the checksum manually: Click the Reset Checksum link associated with the database setting. For Trust Anchor and ACL databases, click OK at the confirmation prompt to confirm your intention. For Certificate database, select the desired CA account name, and click Run. The result will be displayed. 7.2 User Authentication 7.1 Certificate and Path Validations Certificates used to authenticate to the CertAgent web interfaces are validated first by the servlet container (e.g., Apache Tomcat): Certificate validation and certificate path validation The certificate path must terminate with a certificate in the Trust Anchor keystore configured in the servlet container If the certificate and path validations option is enabled, the certificate will be validated again by CertAgent: IETF RFC 5280 certificate validation and certificate path validation The certificate path must terminate with a certificate in the Trust Anchor Database managed by the CertAgent Administrator CertAgent requires that intermediate and root certificates contain a basicconstraints extension asserting the ca flag CertAgent checks the revocation status of the user and intermediate certificates using Certificate Revocation Lists (CRLs) managed by the CertAgent Administrator The end entity certificate presented must have the Client Authentication usage (OID ) set in the extendedkeyusage field To update the Certificate and Path Validations settings: Click the icon in the User Authentication section. Check or uncheck the Enable certificate and path validations checkbox and click Update. 15

16 To manage the Trust Anchor database: Click the Manage Trust Anchors link in the User Authentication section. To add a trust anchor certificate to the list, click Add, then upload it by clicking Browse, locating the appropriate certificate file (X.509 certificate or PKCS#7), and clicking Upload. A confirmation message will be displayed. NOTE: Only valid self-signed certificates containing a basicconstraints extension asserting the CA flag can be imported into the list. 4. To inspect a particular certificate, click on its DN. A popup dialog with certificate information will appear. Click Close to close the dialog. To remove one or more certificates from the list, check the boxes of those you wish to delete and click Remove. Then click OK in the confirmation dialog. To manage the CRLs used for path validation: Click the Manage CRLs link in the User Authentication section. To add a CRL to the list, click Add, then upload it by clicking Browse, locating the appropriate CRL file, and clicking Upload. A confirmation message will be displayed. To inspect a particular CRL, click on its DN. A popup dialog with certificate information will appear. Click Close to close the dialog. To remove one or more CRLs from the list, check the boxes of those you wish to delete and click Remove. Then click OK in the confirmation dialog. 7.2 Restrictions on Security Roles CertAgent supports 5 roles (Admin Site Administrator, Admin Site Auditor, CA Site Administrator, CA Site Auditor, CA Operations Staff) each of which consists of an access control list (ACL) of one or more X.509 certificates and one or more rights (certify, revoke, RAMI, and DBAccess). If restrictions on security roles are enabled, CertAgent refuses to allow the same certificate to be placed: on both an Audit ACL and a non-audit ACL in the Admin Site on both an Audit ACL and a non-audit ACL within a given account on the CA Site on both a CA Operations Staff ACL and a non-ca Operations Staff ACL for a given account on the CA Site In order to operate CertAgent properly, at least three different credentials are required. Each certificate has to upload to the appropriate ACL with admin, audit, or CA operations staff permission. To update the Restriction on Security Roles settings: 16

17 Click the icon in the User Authentication section. Check or uncheck the Enable restrictions on security roles checkbox and click Update. 7.3 Certificates 7.1 Adding Random Bytes to the Serial Number CertAgent uses the database sequence to keep track of the next sequential number. If this option is enabled, each 20 byte serial number consists of 3 leading random bytes and 17 bytes representing the next sequential number, padded with leading zeros. The random bytes are obtained from the ISC CDK. 7.2 Requiring Consistent Values in Key Usage and Extended Key Usage Extensions If this option is enabled, the following purposes in the extended key usage extension must be set with the specified purpose in the key usage extension: Server authentication ( ) must be set with digital signature, key encipherment or key agreement Client Authentication ( ) must be set with digital signature and/or key agreement Code signing ( ) must be set with digital signature protection ( ) must be set with digital signature, non-repudiation, and/or (key encipherment or key agreement) Time stamping ( ) must be set with digital signature and/or non-repudiation OCSP signing ( ) must be set with digital signature and/or non-repudiation 7.3 Requiring Authority Key Identifier Extension If this option is enabled, any certificates issued by a CA account must have the authority key identifier extension. 7.4 Updating the Settings To update the Certificates settings: Click the icon in the Certificates section. Update the settings as desired and click Update. Available options are: 17

18 Add three random bytes to the serial number Require consistent values in keyusage and extendedkeyusage extensions Require authoritykeyidentifier extension 7.4 LDAP Configuration CertAgent support the following authentications to LDAP servers: anonymous simple bind authenticated simple bind authenticated simple bind with TLS certificate-based authentication with TLS The TLS protocol is provided by Java Secure Socket Extension (JSSE). In order for CertAgent to conform to NIAP requirements, the authenticated simple bind with TLS and certificate-based authentication with TLS methods must be disabled. To update the LDAP Configuration settings: Click the icon in the LDAP Configuration section. Check or uncheck the Disable LDAP configuration with TLS authentication checkbox and click Update. 7.5 Access Banner Before establishing a login session to the CertAgent, a configurable advisory notice and consent warning banner can be displayed on the Login pages of the Admin and CA account sites. To manage the access banner: Click the icon in the Access Banner section. To add an access banner, check the Display an access banner on the Login page checkbox. Enter the warning messages (plain text and HTML are allowed) in the text area and click Update. 18

19 8 Managing the Server Administration Access Control List 5 Authorized Server administrators can manage NIAP conformance options, create CA accounts, manage jobs, configure settings, and audit trails from any CertAgent systems. To manage the Server Administration ACL: Click Servers, Access Control to view a list of the entities who are currently authorized to access the administrative pages on the current host (and on any other CertAgent system in a highavailability cluster to which the current host may belong). To add a certificate to the ACL, click Add, then upload it by clicking Browse, locating the appropriate certificate file, selecting the desired permissions, and clicking Upload. A confirmation message will be displayed. NOTE: If Enable restrictions on security roles option is enabled in the NIAP Conformance Options page, either admin or audit permission can be assigned to a user certificate To update the permission of an existing user, click the icon for the certificate you wish to modify. Uncheck the current permission, check the desired permission, and click Update. To inspect a particular certificate, click on its DN. A popup dialog with certificate information will appear. Click Close to close the dialog. To remove one or more certificates from the ACL, check the boxes of those you wish to delete and click Remove. Then click OK in the confirmation dialog. 9 Managing CA Accounts 6 Once you have logged in to a CertAgent website as an administrator with the admin permission, you may create a new CA account, manage an existing account, or modify site-wide configuration settings. This section explains each of these procedures assuming you are starting from the Admin Welcome page. 9.1 Creating a New CA Account To create a new account: Click the Servers, CA Accounts item in the left-hand action menu and click Create. Then complete the new account form. The descriptions of each setting on this page are given in the following table: 5 Requires the local admin permission. 6 Requires the admin permission. 19

20 Setting Account Name Display Name CA Description Description A unique identifier for a Certificate Authority; may only contain the characters A-Z, a-z, and 0-9. This name will be embedded in the system URIs for certificates and CRL retrieval. The friendly name of the account; may only contain the characters A-Z, a-z, 0-9, and space. The description of this CA as it will appear on the CA Resources page of the public site 4. Click Create at the bottom of the page. A new CA account will be created and a confirmation message will be displayed. Only authorized users can access the CA account page. To add authorized users to this account, click the Add button to upload an authorized user s certificate to the ACL. For detail on uploading a certificate to the ACL, see next section. NOTE: Each user of a CA account must have their own key pair and their certificate must be included in the account s ACL. When creating a new CA account, the administrator should add his/her certificate to the account ACL, then log in to the CA account and create or import the credentials for that CA. Once the CA account is established, potential users of that account may submit certificate requests via the public site and the site administrator can use the account to process those requests and install the issued certificates into the ACL for that CA account. Be sure to import the root certificates for all necessary certificate chains into the host s trusted keystore. Otherwise, certificates subordinate to those root certificates will not be trusted by the webserver. 9.2 Managing an Existing CA account To view or modify the settings for an existing account: Click Server, CA Accounts in the main menu to view the list of active CA accounts. Click the icon for the CA account you wish to modify. Click Add to add a certificate to the access control list. Then upload the certificate by clicking Browse, locating the appropriate X.509 or PKCS#7 certificate file, selecting appropriate permissions, and clicking Upload. A confirmation message will be displayed. NOTE: Only end-user certificates in a PKCS#7 file will be installed; any CA certificates in the file are ignored. The following table describes the administrative permissions available for a CA account and the corresponding responsibilities: 20

21 Role Permission Responsibility administrator admin manage account configurations auditor audit view and export audit trails CA operations staff certify revoke RAMI DBAccess issue certificates and reject invalid certificate requests revoke certificates and issue CRLs submit requests via the RA management interface (RAMI) submit queries via the DBAcess service NOTE: If Enable restrictions on security roles option is enabled in the NIAP Conformance Options page, a user certificate can be assigned to one role (Administrator, Auditor, or CA Operations Staff). If CA Operations Staff is selected, one or more permissions (Certify, Reovke, RAMI, and DBAccess) can be assigned To update the permission of an existing user, click the icon for the certificate you wish to modify click. Uncheck the current permissions, check the desired permissions, and click Update. To inspect a certificate, click on the desired certificate DN. A popup dialog with certificate information will be displayed. Click Close to close the dialog. To remove one or more certificates from the ACL, check the boxes of those you wish to delete and click Remove. Then click Yes in the confirmation dialog. To remove an account, select the desired account and click Remove. Click OK to confirm the operation. All settings (configuration, key pair, databases, audit trails, and all profiles) for this account will be discarded and the CA will no longer be able to log into the site. Furthermore, endusers visiting the public side of the CertAgent website will no longer see this CA s name in the list of available CAs and they will not be able to submit a certificate request and obtain a certificate from this account. 10 Managing Jobs 7 CertAgent uses a background thread to periodically check for pending jobs and execute them on schedule. The default interval between checks is 15 minutes. The descriptions of the available jobs are given in the following table: Job Check certificates Automated CRL issuance Description checks for expired certificates and notifies users of imminent expirations; this job is scheduled for daily execution at midnight GMT time issues a CRL; this job is scheduled for execution sometime before the current CRL s nextupdate time 7 Requires the admin permission. 21

22 Publish certificate to LDAP Remove certificate from LDAP Publish CRL to LDAP publishes a user or CA s certificate to an LDAP repository removes a user certificate from an LDAP repository publishes the latest CRL to an LDAP repository Each job has associated attributes as described in this table: Attribute Description Job CA Account Next Update Status Last update Last error Failed attempts Locked type of job job owner time of execution status of the job; pending, running or disabled time of last execution, if any error message returned from last execution, if any number of times this job executed and failed address of host that initiated the lock on this job and the time when lock was initiated, if any When a job is executed by a CertAgent system it is marked as locked and its Locked attributes are assigned appropriate values. This ensures that no clone of the system in a high-availability cluster will attempt to execute the same job simultaneously. When a job successfully terminates, its lock is released and its attributes are reset: Next Update is updated and Locked is cleared. To view job configuration settings: Click the Servers, Jobs item in the left-hand action menu. Initial default configuration settings are displayed. Descriptions of the settings on this page are given in the following table: Setting Check job frequency Issue CRL threshold Restart job threshold Description how often the background thread checks for pending jobs how soon a CRL can be issued before the Next Update time; for example, if Next Update time is today at 11:00 am and the threshold is 30 minutes, a CRL will be issued between 10:30 and 11:00 am. if a job has been locked by a CertAgent server longer than this threshold value, the job will be released automatically 22

23 Retry limit Retry delay maximum number of times a job can retry before being disabled number of minutes to wait after the first failed attempt; wait time for the consecutive failed attempt is <delay> * <failed attempt> To update these settings, click the icon, make your changes, and click Update. To view the job lists: Click the Servers, Jobs item in the left-hand action menu. Select the Jobs tab. Lists of active and inactive jobs will be displayed, if any. To view and manage a job: Click the icon. To execute the job, click Run Now. To delete the job, click Delete. 11 Configuring Settings 8 CertAgent can send notification to an administrator when the following error conditions occur: job abortion after certain number of failed attempts failed to issue a CRL failed to issue a certificate To view and manage the settings: Click the Servers, Settings item in the left-hand action menu. Click the icon. To enable the settings: a. Check the Enable checkbox. b. Enter the SMTP server, port, from address, to address, subject and message fields. 8 Requires the admin permission. 23

24 If your mail server requires user authentication, check Require authentication box and specify the user name and password. Subject and message body of the notification are customizable. Particular token ($ERROR) is required in the message body. When composing a message, the token will be replaced with the appropriate error message. c. (Optional) Click the Test button to transmit a test message. d. Click Update to apply the changes. 12 Managing the Audit Trail CertAgent includes an audit facility that generates audit records when auditable events happen. Audit records are written to the database s Audit Table named CA_ADMIN_AUDIT. No user or auditor has the ability to delete or modify the audit data via the CertAgent interfaces. If, for some reason, the database is not available (it s full or offline ) CertAgent will stop operating and deny access until the issue is corrected at the local console. In these events, CertAgent will create diagnosis information in a local text file. Audit trail data may be transferred to an external IT entity by having that entity use the DBAccess API. This connection is client-authenticated and encrypted using TLS supplied by Apache Tomcat. The external IT entity is expected to poll the CertAgent periodically to obtain updated audit entries. For details on DBAccess API, see the section entitled Database Access Service in the CertAgent Certificate Authority Guide (ca_install.pdf). 11 Audit Table Format and Description The type and description of each available column in the Audit Table are given in the following table: Column Format and Description TYPE int Type of the event: 1: credentials 2: PIN 4: ACL 8: audit 16: login 32: database 64: job 128: CA account 256: 512: NIAP 1024: DBAccess 2048: System 24

25 SERVER CLIENT LDATE LLEVEL EVENT CLIENTID String IP address of the CertAgent system. String IP address of the client system, CACLI, or NULL (for the events that are triggered by the system) Timestamp Timestamp of the event. int Level of the event: 1: error 3: information String Recorded events String The identity of the client: Subject DN of an authorized user s certificate, CACLI, or NULL (for the events that are triggered by the system) 12 Searching the Audit Trail 9 Once you have logged in to a CertAgent website as an administrator with the audit permission, you may search the administrative audit trail. To search the administrative audit trail: Click the Audit Trails, Search item in the left-hand action menu. Initially, the default basic search criteria, named (new search), is displayed. On subsequent views, the last user-selected saved search for the current session is displayed. To search the audit trails using the basic search criteria: a. Specify the desired search criteria and the fields to be included in the report. You may use an asterisk (*) as a wildcard in the search string. The descriptions of each setting on this page are given in the following table: Setting Description Date Timestamp of the event. Available options: last hour, last 12 hours, today, last 7 days, last 30 days, and custom 9 Requires the audit permission. 25

26 Category Level Server Client Client ID Event Type of the event: ACL, audit, CA account, credential, database, DBAccess, , job, login, NIAP, PIN, and system. If not specified, all types will be displayed. Level of the event: INFO or ERROR. If specified, either error only and information only can be set. If not specified, both information and error events will be displayed. IP address of the CertAgent system. IP address of the client system. To search for events triggered by the system, enter [system]. To search for events triggered by the CACLI tool, enter CACLI. The identity of the client. Subject DN of an authorized user s certificate, CACLI, or (n/a) (for the events that are triggered by the system). Recorded events. Events with ERROR level will be displayed in red. 4. To search the audit trails using a SQL statement: a. Select the Advanced option. b. Specify one or more columns to be included in the first text area and optionally specify the WHERE clause in the second text area to construct the desired SQL statement. For details on the column names and description, see Audit Table Format and Description. To search for events triggered by the system, use CLIENT IS NULL in the WHERE clause. To search for events triggered by the CACLI tool, use CLIENT= CACLI in the WHERE clause Click Search to search for the events. Result will be displayed in the Result tab. To export the list of displayed events to a file in CSV format, click Export Search Result to File. To save the search to reuse, click Save Search. a. Select Save to overwrite the existing search. b. Otherwise, select Save as and specify a name. c. Click Save to apply the changes. To search the events by a given subject name (<user s subject DN>): In the Basic search, check the Client ID matches checkbox and specify <user s subject DN> in the associated field. Then click Search. 26

27 Alternatively, in the Advanced search, specify the return columns in the first text area, and WHERE CLIENTID = <user s subject DN> in the second text area. Then click Search. 13 Managing Auditable Events 10 Events are categorized by event type: ACL, audit, CA account, credential, database, DBAccess, , job, login, NIAP, PIN, and system. By default, all events are recorded. Administrator can select the desired event type of the events to be audited. To manage the auditable events: Click the Audit Trails, Search item in the left-hand action menu. Check the desired event type to be audited. Then, click Apply. 13 Using Help Click Help to open the online help system in a new window. 14 Logging Out Click Log Out when you have finished working with the site and wish to terminate your CertAgent session. 10 Requires the admin permission. 27

28 3 Certificate Authorities 1 Logging in to a CA account To log in to a CA account: Launch Internet Explorer and enter the following URL in its address bar: port>/certagentadmin/ca/login.jsp Be sure to replace <host> and <admin port> with the appropriate system name (or IP address) and SSL port of your CertAgent webserver. Select your certificate in the Windows Security dialog to authenticate yourself to the webserver and click OK. If you are authorized to access multiple accounts, select an account from the drop-down list. Otherwise, you will be logged in to your account automatically. For more information on how to manage the CA administrative site, please refer to its on-line help pages: port>/certagentadmin/ca/help.html 28

29 4 Public Site 4.1 Viewing the Public Site To view the public site, launch Internet Explorer and enter the following URL in its address bar: port>/certagent/main.jsp Be sure to replace [host] and [SSL port> with the appropriate system name (or IP address) and SSL port of your CertAgent webserver. For more information on the public site usage, please refer to its online help pages: port>/certagent/help.html 29