CertAgent. Administrator Guide

Transcription

1 CertAgent Administrator Guide Version 7.0 July 5, 2018

2 Information in this document is subject to change without notice and does not represent a commitment on the part of Information Security Corporation. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of the agreement. No part of this manual may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose other than the purchaser s personal use without the prior written permission of Information Security Corp. CertAgent is commercial computer software and, together with any related documentation, is subject to the restrictions on U.S. Government use as set forth below. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software Clause at DFARS Contractor/manufacturer is Information Security Corporation, 1011 Lake Street, Suite 425, Oak Park, IL 6030 The U.S. International Traffic in Arms Regulations (ITARs) (22 CFR ) prohibits the dissemination of certain types of technical data to foreign nationals. Protected by U.S. Patent No. 5,699,43 CertAgent is a trademark of Information Security Corp. Other product and company names mentioned in this document may be the trademarks of their respective owners. The cryptographic functionality of CertAgent is provided by CDK 7.0, ISC s FIPS validated cryptographic module, via a Java JNI and/or an RMI interface. In addition, CertAgent uses code extracted or derived from the following open source software packages redistributable under the terms of the GPL: Log4j, Version 16: Copyright The Apache Software Foundation. All rights reserved. jquery, Version 10: Copyright The jquery Foundation, Inc. JSON-RPC, Version 0: Copyright by the JSON-RPC Working Group CertAgent Administrator Guide, Version 7.0 (Revision 6, July 2018) Information Security Corporation. All rights reserved. Information Security Corporation 1011 W. Lake Street, Suite 425 Oak Park, IL Phone: Fax: Website: tech@infoseccorp.com 2

3 Table of Contents 1 Introduction CertAgent Architecture About this Guide Technical Support Site Administration Overview Access Control and Permissions Logging in as Site Administrator Importing Credentials into Browsers Logging in Managing System Credentials Configuring Database Settings Managing the NIAP Conformance Options Data Integrity User Authentication Certificates LDAP Configuration Configuration Access Banner Managing the Server Administration Access Control List Managing CA Accounts Creating a New CA Account Managing an Existing CA account Managing Jobs Configuring Settings Managing the Audit Trail Audit Table Format and Description Searching the Audit Trail Managing Auditable Events Using Help Logging Out Certificate Authorities Logging in to a CA account Public Site Viewing the Public Site

4 1 Introduction CertAgent is an X.509-compliant certificate authority (CA). It is an easily managed, web-based certificate authority (CA) intended to be used as the core component of an enterprise public key infrastructure (PKI). Designed to meet the needs of a wide variety of organizations, the current release offers enhanced enrollment services (EST), remote administration, integrated certificate and CRL databases, and an OCSP responder. It supports an unlimited number of root and intermediate CAs, providing support for as complex a certificate hierarchy as the size of your enterprise warrants. 1 CertAgent Architecture The following diagram illustrates the basic layout of the CertAgent system. HSM Database External LDAP Repository (optional) CertAgent ISC CDK (FIPS 140-2) JNI CertAgent Server RMI CACLI Report Generator Administration Web App Java Servlet/JSP Container Public Web App PIN Entry Interface Admin Site CA Account Site RA Management Interface DBAccess Interface Public Site OCSP Responder EST Web App TLS TLS w/ client auth. (ACL) TLS TLS basic/client auth. Local admin Local admin from localhost or authorized IP address Authorized Admin RA Audit Server or Certificate Query Users OCSP Client EST Client The CertAgent 7 System Architecture 4

5 2 About this Guide This Administrator s Guide provides information that will assist you in effectively using the Admin side of a CertAgent website as the system administrator. Described in detail are all tasks assigned to the system administrator role, including entering the system PIN upon start-up, managing system credentials, creating and configuring CA accounts, managing access control list and jobs, and viewing the audit trail. The role played by certificate authorities (uses of both master CA accounts and profiles) is described in detail in the separate CertAgent Certificate Authority Guide. 3 Technical Support Information Security Corporation provides technical support for CertAgent during normal business working days, Monday through Friday, 8:00 a.m. to 5:00 p.m. Central Standard Time. Phone: (708) Fax: (708) Web: techsupport@infoseccorp.com 5

6 2 Site Administration 1 Overview The Admin pages of the CertAgent website are secured using SSL with client authentication. When you attempt to access these pages using your web browser, your identity will be verified by the web server using strong X.509 certificate-based authentication and all command processes and data transfers between your computer and web server will be encrypted. 2 Access Control and Permissions The CertAgent system administrative webpages support the following roles and responsibilities: Role Permission Responsibility administrator admin auditor audit view and export audit trails manage system credentials, database configuration, CA accounts, trust anchor database, CRL store for path validations, NIAP configuration, jobs, settings, run integrity tests, and configure audit trails 3 Logging in as Site Administrator An initial (temporary) administrator certificate (<ca home>/keystore/ca-admin.der) and auditor certificate (<ca home>/keystore/ca-auditor.der) are automatically added to the ACL, with admin and audit permissions respectively, during installation. You should import these temporary credentials (<ca home>/keystore/ca-admin.p12 and ca-auditor.p12 with password <p12 pass>) into your web browser s certificate store in order to gain access to the Admin site. 1 Importing Credentials into Browsers If you have selected NIAP compliance option during the installation, AES-256 will be used to encrypt your private key. The PKCS#12 files generated by the installer can only be imported to compatible browsers (e.g., Firefox 56+ and Internet Explorer on Windows 10). 1 Firefox To import the administrator s credentials into Firefox: Select the Menu button. Select Preferences on UNIX or Options on Windows. From the left-side menu, select Privacy & Security. 6

7 In the Security section, click View Certificates. In the Certificate Manage dialog, select the Your Certificates tab and click Import. Browse to the PKCS#12 file (e.g., <ca home>/keystore/ca-admin.p12) and click Open. Enter the password that was used to encrypt the private key and click OK. Firefox will alert you when the certificate has been installed successfully. Select the Authorities tab, select the root certificate (e.g., CertAgent <version> Root CA) which listed under the organization you have entered during the installation. Click Edit Trust, click all three checkboxes in the Edit CA certificate trust settings dialog and click OK. Click OK to close the Certificate Manage dialog. 2 Internet Explorer To import the administrator s credentials into Internet Explorer 11: 4. Select the Tools, Internet Options from the menu bar. Select the Content tab and click Certificates. Select the Personal tab and click Import. In the Certificate Import Wizard: a. Click Next. b. Click Browse.., locate the PKCS#12 file (e.g., <ca home>/keystore/ca-admin.p12) and click Open. c. Click Next, enter the password that was used to encrypt the private key and click Next. d. Select Automatically select the certificate store based on the type of certificate option, browse the store to Personal and click Next. Then, click Finish. e. When the Security Warning dialog appears with the Root CA information (e.g., CertAgent <version> Root CA), click Yes to trust this certificate. f. It will alert you when the certificate has been installed successfully. 2 Logging in Launch Internet Explorer and enter the following URL in its address bar: port>/certagentadmin/admin/login.jsp 7

8 Be sure to replace <host> and <admin port> with the appropriate system name (or IP address) and SSL port of your CertAgent webserver. Select your certificate in the Windows Security dialog to authenticate yourself to the webserver, and then click OK. NOTE: If your certificate does not appear in the Windows Security dialog, make sure that the appropriate administrative credentials have been imported into the Internet Explorer Personal certificates store and the trust anchor (root certificate) for your certificate has been imported into the trust store of your servlet container. 4. If access banner is enabled from the Admin site, a page with advisory notice and consent warning message will appear. Login button to continue. Once you have successfully logged in, the following Welcome page will appear: Depending on the permissions of an authorized user, the set of pages and tasks available are appropriately limited. 8

9 4 Managing System Credentials 1 CertAgent has a set of system credentials that is used to protect all CA HSM PINs and passwords used in the various configurations settings. To view the system credentials, click the Local System, Credentials item in the left-hand action menu. To update the system credentials: Click Update. Select Use default to use the existing HSM access settings. Otherwise, select Use custom and specify the required HSM access information. To view the slots and labels available on your HSM, enter the path of the vendor-provided access library and click View Slots/Labels. To generate a new key pair: a. Select Generate a new key pair and click Next. b. Enter the RDNs and change the key type and size, message digest and validity period, if needed. c. Click Next and then OK at the confirmation prompt to confirm your intentions. 4. To select an existing key pair: a. Select Use an existing key pair and click Next to see a list of all encrypt-capable credentials on the specified HSM. b. Select the system certificate you wish to use. (To view detailed information about any of the available certificates, click its DN.) c. Click Next and then OK at the confirmation prompt to confirm your intentions. NOTE: Each cloned CertAgent system in a high-availability cluster must be configured to use the same system credentials. To change the system credentials in a cluster, an authorized administrator must successively log in to each of the clones in the cluster using their individual IP addresses and update their system credentials manually. 5 Configuring Database Settings 2 The current release of CertAgent uses an auxiliary Oracle, PostgreSQL, or HyperSQL database for the storage of its credentials, account configurations, certificates, certificate requests, access control lists, and audit trails. Consequently, a compatible JDBC driver or Instant Client must be separately licensed by the 1 Requires the admin permission. 2 Requires the admin permission. 9

10 customer and installed on the CertAgent host; they are not included in the standard CCMS software distribution package. Database has already been configured during the installation. To update CertAgent to use different database configuration: Local System, Database item in the left-hand action menu. icon. Select the desired database form the Vendor drop-down. For PostgreSQL database, use the following URL to establish a connection: jdbc:postgresql://<host>:<port>/<database> For HyperSQL database, use the following URL to establish a connection: jdbc:hsqldb:hsql://<host>[:<port>][/<alias>] For Oracle database: NOTE: This option is not available in NIAP compliant mode. If your database supports OCI, a SQL*Net configuration file may be used to define the addresses of database connections. Below is a sample tnsnames.ora file that must be located in the <ORACLE_HOME>/network/admin directory. RACDB = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = cl6cluster-scan)(port = 1521)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = racdb.infoseccorp.com) (FAILOVER_MODE =(TYPE=select)(METHOD=basic)) ) ) Specify jdbc:oracle:oci:@racdb in the URL field. Alternatively, include the above configuration in the URL: jdbc:oracle:oci:@(description=(address=(protocol=tcp) (HOST=cl6cluster-scan)(PORT=1521))(CONNECT_DATA=(SERVER=DEDICATED) (SERVICE_NAME=racdb.infoseccorp.com)(FAILOVER_MODE=(TYPE=select) (METHOD=basic)))) If your database does not support OCI, use the following URL to establish a connection using the thin driver: jdbc:oracle:thin:@//<host>:<port>/<service name> 4. Select New in the Instance option if this is the first CertAgent instance connecting to the specified database service. 10

11 5. 6. Enter the database user name and password created by the DBA. For details on account creation and requirement, see the section entitled Configuring Database in the CertAgent Certificate Authority Guide (ca_install.pdf). Change the connection pool setting if needed. CertAgent uses a connection pool for database communications. By default, five connections are created upon pool initialization and a maximum of twenty connections can be cached. A connection timeout value of 20 seconds is set to allow CertAgent to wait for an available connection in the pool before terminating a request. A connection in the pool is automatically closed once it has been idle for seven hours. 7. Click Update to save your changes. 6 Managing the NIAP Conformance Options 3 To manage the NIAP conformance options: Click Servers, NIAP Conformance. The following page will appear: 3 Requires the admin permission. 11

12 To make CertAgent conform to the NIAP requirements, all the options on this page must be checked. The following sections describe each option in detail. 6.1 Data Integrity The integrity of the trust anchor table, and the table storing the ACLs, is maintained using a digital signature created using the CA System credential. This signature is validated when the table is used. The signature is updated whenever an administrator modifies the trust list or ACLs. Integrity can optionally be verified at power-up (after system PIN has been entered to enable access to the database) and on-demand by an Admin Site Administrator. In case of any integrity failure occurring, CertAgent will record the error in both the audit trail and local server log file, destroy any sensitive data, and shut down the CertAgent service. A local administrator must restart CertAgent in maintenance mode which will disable the integrity test, path validation and security role restriction. They will then need to remove all certificates from the corresponding list and reimport the certificates to the list via the web interface or CACLI. 6.1 Updating the Settings To update the Data Integrity settings: icon in the Data Integrity section. Update the settings as desired and click Update. Available options are: Enable data integrity on the Trust Anchor list Enable data integrity on ACLs Run integrity tests on server startup The result will be displayed. NOTE: If an integrity setting is changed from disabled to enabled, a signature of the associated table will be created automatically. You will be prompted to confirm your intention. Click OK to continue. 6.2 Running Integrity Test on Demand To run the integrity test: Run Integrity Test link of the desired list. Click OK at the confirmation prompt to confirm your intentions. The result will be displayed. 12

13 6.2 User Authentication 6.1 Certificate and Path Validations Certificates used to authenticate to the CertAgent web interfaces are validated first by the servlet container (e.g., Apache Tomcat): Certificate validation and certificate path validation The certificate path must terminate with a certificate in the Trust Anchor keystore configured in the servlet container If the certificate and path validations option is enabled, the certificate will be validated again by CertAgent: IETF RFC 5280 certificate validation and certificate path validation The certificate path must terminate with a certificate in the Trust Anchor Database managed by the CertAgent Administrator CertAgent requires that intermediate and root certificates contain a basicconstraints extension asserting the CA flag CertAgent checks the revocation status of the user and intermediate certificates using Certificate Revocation Lists (CRLs) managed by the CertAgent Administrator The end entity certificate presented must have the Client Authentication usage (OID ) set in the extendedkeyusage field To update the Certificate and Path Validations settings: icon in the User Authentication section. Check or uncheck the Enable strict certificate and path validations checkbox and click Update. To manage the Trust Anchor list: Manage Trust Anchors link in the User Authentication section. To add a trust anchor certificate to the list, click Add, then upload it by clicking Browse, locating the appropriate certificate file (X.509 certificate or PKCS#7), and clicking Upload. A confirmation message will be displayed. NOTE: Only valid self-signed certificates containing a basicconstraints extension asserting the CA flag can be imported into the list. To inspect a particular certificate, click on its DN. A popup dialog with certificate information will appear. Click Close to close the dialog. 13

14 4. To remove one or more certificates from the list, check the boxes of those you wish to delete and click Remove. Then click OK in the confirmation dialog. To manage the CRLs used for path validation: Manage CRLs link in the User Authentication section. To add a CRL to the list, click Add, then upload it by clicking Browse, locating the appropriate CRL file, and clicking Upload. A confirmation message will be displayed. To inspect a particular CRL, click on its DN. A popup dialog with certificate information will appear. Click Close to close the dialog. To remove one or more CRLs from the list, check the boxes of those you wish to delete and click Remove. Then click OK in the confirmation dialog. 6.2 Restrictions on Security Roles CertAgent supports 3 roles (Administrator, Auditor, and CA Operations Staff) each of which consists of an access control list (ACL) of one or more X.509 certificates and one or more rights (admin, audit, certify, revoke, RAMI, and DBAccess). If restrictions on security roles are enabled, CertAgent refuses to allow the same certificate to be placed: on both an Audit ACL and a non-audit ACL in the Admin Site on both an Audit ACL and a non-audit ACL within a given account on the CA Site on both a CA Operations Staff ACL and a non-ca Operations Staff ACL for a given account on the CA Site In order to operate CertAgent properly, at least three different credentials are required. Each certificate has to upload to the appropriate ACL with admin, audit, or CA operations staff permission. To update the Restriction on Security Roles setting: icon in the User Authentication section. Check or uncheck the Enable restrictions on security roles checkbox and click Update. 6.3 Client Certificate DN Filter CertAgent supports filtering client certificates by their distinguished name (DN) in order to allow an administrator to restrict access to only matching certificates. If a client certificate s DN does not match the configured filter the TOE responds with a fatal TLS bad_certificate error. By default, the filter is set to * to allow any DNs. Specify the DN filter with one or more asterisk as appropriate to the DN structure of your existing role certificates. For example: CN=*, O=ISC, C=US. To update the Client Certificate DN Filter setting: 14

15 icon in the User Authentication section. Update the DN filter as desired and click Update. Check or uncheck the Enable restrictions on security roles checkbox and click Update. 6.3 Certificates 6.1 Adding Random Bytes to the Serial Number CertAgent uses the database sequence to keep track of the next sequential number. If this option is enabled, each 20 byte serial number consists of 3 leading random bytes and 17 bytes representing the next sequential number, padded with leading zeros. The random bytes are obtained from the ISC CDK. 6.2 Requiring Consistent Values in Key Usage and Extended Key Usage Extensions If this option is enabled, the following purposes in the extended key usage extension must be set with the specified purpose in the key usage extension: Server authentication ( ) must be set with digital signature, key encipherment or key agreement Client Authentication ( ) must be set with digital signature and/or key agreement Code signing ( ) must be set with digital signature protection ( ) must be set with digital signature, non-repudiation, and/or (key encipherment or key agreement) Time stamping ( ) must be set with digital signature and/or non-repudiation OCSP signing ( ) must be set with digital signature and/or non-repudiation 6.3 Requiring Authority Key Identifier Extension If this option is enabled, any certificates issued by a CA account must have the authority key identifier extension. 6.4 Requiring Subject Key Identifier Extension If this option is enabled, any certificates issued by a CA account must have the subject key identifier extension. 6.5 Enforcing Profile Settings on Issuance If this option is enabled, any certificates issued by a CA account must use the profile settings. 15

16 6.6 Updating the Settings To update the Certificates settings: icon in the Certificates section. Update the settings as desired and click Update. Available options are: Add three random bytes to the serial number Require consistent values in keyusage and extendedkeyusage extensions Require authoritykeyidentifier extension Require subjectkeyidentifier extension Enforce profile settings on issuance 6.4 LDAP Configuration Disabling LDAP Publishing If this option is checked, LDAP publishing will be disabled. To update the LDAP Configuration settings: icon in the LDAP Configuration section. Check or uncheck the Disable LDAP publishing checkbox and click Update Configuration Disabling Notification If this option is checked, notifications will be disabled. To update the Configuration settings: icon in the Configuration section. Check or uncheck the Disable notifications checkbox and click Update. 6.6 Access Banner Before establishing a login session to the CertAgent, a configurable advisory notice and consent warning banner can be displayed on the Login pages of the Admin and CA account sites. 16

17 To manage the access banner: icon in the Access Banner section. To add an access banner, check the Display an access banner on the Login page checkbox. Enter the warning messages (plain text and HTML are allowed) in the text area and click Update. 7 Managing the Server Administration Access Control List 4 Authorized Server administrators can manage NIAP conformance options, create CA accounts, manage jobs, configure settings, and audit trails from any CertAgent systems. To manage the Server Administration ACL: Click Servers, Access Control to view a list of the entities who are currently authorized to access the administrative pages on the current host (and on any other CertAgent system in a highavailability cluster to which the current host may belong). To add a certificate to the ACL, click Add, then upload it by clicking Browse, locating the appropriate certificate file, selecting the desired permissions, and clicking Upload. A confirmation message will be displayed. NOTE: If Enable restrictions on security roles option is enabled in the NIAP Conformance Options page, either admin or audit permission can be assigned to a user certificate To update the permission of an existing user, click the icon for the certificate you wish to modify. Uncheck the current permission, check the desired permission, and click Update. To inspect a particular certificate, click on its DN. A popup dialog with certificate information will appear. Click Close to close the dialog. To remove one or more certificates from the ACL, check the boxes of those you wish to delete and click Remove. Then click OK in the confirmation dialog. 8 Managing CA Accounts 5 Once you have logged in to a CertAgent website as an administrator with the admin permission, you may create a new CA account, manage an existing account, or modify site-wide configuration settings. This section explains each of these procedures assuming you are starting from the Admin Welcome page. 4 Requires the admin permission. 5 Requires the admin permission. 17

18 8.1 Creating a New CA Account To create a new account: Servers, CA Accounts item in the left-hand action menu and click Create. Then complete the new account form. The descriptions of each setting on this page are given in the following table: Setting Account Name Display Name CA Description Description A unique identifier for a Certificate Authority; may only contain the characters A-Z, a-z, and 0-9. This name will be embedded in the system URIs for certificates and CRL retrieval. The friendly name of the account; may only contain the characters A-Z, a-z, 0-9, and space. The description of this CA as it will appear on the CA Resources page of the public site 4. Click Create at the bottom of the page. A new CA account will be created and a confirmation message will be displayed. Only authorized users can access the CA account page. To add authorized users to this account, click the Add button to upload an authorized user s certificate to the ACL. For detail on uploading a certificate to the ACL, see next section. NOTE: Each user of a CA account must have their own key pair and their certificate must be included in the account s ACL. When creating a new CA account, the administrator should add his/her certificate to the account ACL, then log in to the CA account and create or import the credentials for that CA. Once the CA account is established, potential users of that account may submit certificate requests via the public site and the site administrator can use the account to process those requests and install the issued certificates into the ACL for that CA account. Be sure to import the root certificates for all necessary certificate chains into the host s trusted keystore. Otherwise, certificates subordinate to those root certificates will not be trusted by the webserver. 8.2 Managing an Existing CA account To view or modify the settings for an existing account, Click Server, CA Accounts in the main menu to view the list of active CA accounts. 8.1 Managing the Access Control List To manage a CA account s ACL: 18

19 icon for the CA account you wish to modify. Click Add to add a certificate to the access control list. Then upload the certificate by clicking Browse, locating the appropriate X.509 or PKCS#7 certificate file, selecting appropriate permissions, and clicking Upload. A confirmation message will be displayed. NOTE: Only end-user certificates in a PKCS#7 file will be installed; any CA certificates in the file are ignored. The following table describes the administrative permissions available for a CA account and the corresponding responsibilities: Role Permission Responsibility administrator admin manage account configurations (issuer credential, certificate profile, CRL issuance, certificate issuance, EST, OCSP, RAMI, and enrollment options) auditor audit view and export audit trails, and search certificates CA operations staff certify revoke RAMI DBAccess issue certificates, reject invalid certificate requests, manage EST subscribers, manage automated certificate issuance option, and manage RAMI enrollment setting revoke certificates, issue CRLs, manage self-service certificate revocation option, manage automated CRL issuance option, manage RAMI CRL issuance, and revocation settings submit requests via the RA management interface (RAMI) submit queries via the DBAccess service NOTE: If Enable restrictions on security roles option is enabled in the NIAP Conformance Options page, a user certificate can be assigned to one role (Administrator, Auditor, or CA Operations Staff). If CA Operations Staff is selected, one or more permissions (Certify, Revoke, RAMI, and DBAccess) can be assigned To update the permission of an existing user, click the icon for the certificate you wish to modify click. Uncheck the current permissions, check the desired permissions, and click Update. To inspect a certificate, click on the desired certificate DN. A popup dialog with certificate information will be displayed. Click Close to close the dialog. To remove one or more certificates from the ACL, check the boxes of those you wish to delete and click Remove. Then click Yes in the confirmation dialog. To remove an account, select the desired account and click Remove. Click OK to confirm the operation. All settings (configuration, key pair, databases, audit trails, and all profiles) for this account will be discarded and the CA will no longer be able to log into the site. Furthermore, endusers visiting the public side of the CertAgent website will no longer see this CA s name in the list of available CAs and they will not be able to submit a certificate request and obtain a certificate from this account. 19

20 8.2 Disabling CA Accounts When a CA account is no longer in service, it can be disabled. Once disabled, the ACL of the CA account will be deleted and this account will not be accessible from any interface. However, the requests, certificates, CRLs, account configuration and audit trails will remain in the database. To disable one or more CA accounts: Check one or more CA accounts you wish to disable. Click Disable and OK to confirm the operation. 8.3 Enabling CA Accounts To enable one or more CA accounts: Select the Disabled tab. Check one or more CA accounts you wish to enable. Click Enable Account and OK to confirm the operation. 9 Managing Jobs 6 CertAgent uses a background thread to periodically check for pending jobs and execute them on schedule. The default interval between checks is 15 minutes. The descriptions of the available jobs are given in the following table: Job Check certificates Automated CRL issuance Publish certificate to LDAP Remove certificate from LDAP Publish CRL to LDAP Description checks for expired certificates and notifies users of imminent expirations; this job is scheduled for daily execution at midnight GMT time issues a CRL; this job is scheduled for execution sometime before the current CRL s nextupdate time publishes a user or CA s certificate to an LDAP repository removes a user certificate from an LDAP repository publishes the latest CRL to an LDAP repository Each job has associated attributes as described in this table: 6 Requires the admin permission. 20

21 Attribute Description Job CA Account Next Update Status Last update Last error Failed attempts Locked type of job job owner time of execution status of the job; pending, running or disabled time of last execution, if any error message returned from last execution, if any number of times this job executed and failed address of host that initiated the lock on this job and the time when lock was initiated, if any When a job is executed by a CertAgent system it is marked as locked and its Locked attributes are assigned appropriate values. This ensures that no clone of the system in a high-availability cluster will attempt to execute the same job simultaneously. When a job successfully terminates, its lock is released and its attributes are reset: Next Update is updated and Locked is cleared. To view job configuration settings: Servers, Jobs item in the left-hand action menu. Initial default configuration settings are displayed. Descriptions of the settings on this page are given in the following table: Setting Check job frequency Issue CRL threshold Restart job threshold Retry limit Retry delay Delete inactive jobs automatically Description how often the background thread checks for pending jobs how soon a CRL can be issued before the Next Update time; for example, if Next Update time is today at 11:00 am and the threshold is 30 minutes, a CRL will be issued between 10:30 and 11:00 am. if a job has been locked by a CertAgent server longer than this threshold value, the job will be released automatically maximum number of times a job can retry before being disabled number of minutes to wait after the first failed attempt; wait time for the consecutive failed attempt is <delay> * <failed attempt> if enabled, jobs exceeding its retry limit will be deleted automatically; otherwise, they will be moved to the inactive job list To update these settings, click the icon, make your changes, and click Update. 21

22 To view the job lists: Servers, Jobs item in the left-hand action menu. Select the Jobs tab. Lists of active and inactive jobs will be displayed, if any. To view and manage a job: icon. To execute the job, click Run Now. To delete the job, click Delete. 10 Configuring Settings 7 CertAgent can send notification to an administrator when the following error conditions occur: job abortion after certain number of failed attempts failed to issue a CRL failed to issue a certificate failed to publish/remove certificates to/from LDAP repositories To view and manage the settings: Servers, Settings item in the left-hand action menu. icon in the Account section. To enable the settings: a. Check the Enable checkbox. b. Enter the SMTP server, port, from address, and to address fields. If your mail server requires user authentication, select one of the authentication methods (plain, STARTTLS, or SSL) from the authentication drop-down. Then, specify the user name and password. If STARTTLS or SSL is selected, specify the trust root certificate of the mail server s SSL certificate. 7 Requires the admin permission. 22

23 c. NOTE: STARTTLS and SSL options are disabled by default. To enable this option, see the section entitled Configuration for details.(optional) Test button to transmit a test message. d. Click Update to apply the changes. To customize the subject and message body: icon in the Notify Administrator for Critical Errors section. Modify the subject and message fields as desired. NOTE: Particular token ($ERROR) is required in the message body. When composing a message, the token will be replaced with the appropriate error message. Click Update to apply the changes. 11 Managing the Audit Trail CertAgent includes an audit facility that generates audit records when auditable events happen. Audit records are written to the database s Audit Table named CA_ADMIN_AUDIT. No user or auditor has the ability to delete or modify the audit data via the CertAgent interfaces. If, for some reason, the database is not available (it s full or offline ) CertAgent will stop operating and deny access until the issue is corrected at the local console. In these events, CertAgent will create diagnosis information in a local text file. Audit trail data may be transferred to an external IT entity by having that entity use the DBAccess API. This connection is client-authenticated and encrypted using TLS supplied by Apache Tomcat. The external IT entity is expected to poll the CertAgent periodically to obtain updated audit entries. For details on DBAccess API, see the section entitled Database Access Service in the CertAgent Certificate Authority Guide (ca_install.pdf). 11 Audit Table Format and Description The type and description of each available column in the Audit Table are given in the following table: Column Format and Description 23

24 TYPE SERVER CLIENT LDATE LLEVEL EVENT CLIENTID int Type of the event: 1: credentials 2: PIN 4: ACL 8: audit 16: login 32: database 64: job 128: CA account 256: 512: NIAP 1024: DBAccess 2048: System 4096: TLS session String IP address of the CertAgent system. String IP address of the client system, CACLI, or NULL (for the events that are triggered by the system) Timestamp Timestamp of the event. int Level of the event: 1: error 3: information String Recorded events String The identity of the client: Subject DN of an authorized user s certificate, CACLI, or NULL (for the events that are triggered by the system) 12 Searching the Audit Trail 8 Once you have logged in to a CertAgent website as an auditor with the audit permission, you may search the administrative audit trail and Tomcat logs (if enabled by the administrator). To search the administrative audit trail: Audit Trails, Search item in the left-hand action menu. Initially, the default basic search criteria, named (new search), is displayed. On subsequent views, the last user-selected saved search for the current session is displayed. 8 Requires the audit permission. 24

25 To search the audit trails using the basic search criteria: a. Specify the desired search criteria and the fields to be included in the report. You may use an asterisk (*) as a wildcard in the search string. The descriptions of each setting on this page are given in the following table: Setting Description Date Timestamp of the event. Available options: last hour, last 12 hours, today, last 7 days, last 30 days, and custom Category Level Server Client Client ID Event Type of the event: ACL, audit, CA account, credential, database, DBAccess, , job, login, NIAP, PIN, and system. If not specified, all types will be displayed. Level of the event: INFO or ERROR. If specified, either error only and information only can be set. If not specified, both information and error events will be displayed. IP address of the CertAgent system. IP address of the client system. To search for events triggered by the system, enter [system]. To search for events triggered by the CACLI tool, enter CACLI. The identity of the client. Subject DN of an authorized user s certificate, CACLI, or (n/a) (for the events that are triggered by the system). Recorded events. Events with ERROR level will be displayed in red. 4. To search the audit trails using a SQL statement: a. Select the Advanced option. b. Specify one or more columns to be included in the first text area and optionally specify the WHERE clause in the second text area to construct the desired SQL statement. For details on the column names and description, see Audit Table Format and Description. To search for events triggered by the system, use CLIENT IS NULL in the WHERE clause. To search for events triggered by the CACLI tool, use CLIENT= CACLI in the WHERE clause Click Search to search for the events. Result will be displayed in the Result tab. To export the list of displayed events to a file in CSV format, click Export Search Result to File. To save the search to reuse, click Save Search. 25

26 a. Select Save to overwrite the existing search. b. Otherwise, select Save as and specify a name. c. Click Save to apply the changes. To search the events by a given subject name (<user s subject DN>): In the Basic search, check the Client ID matches checkbox and specify <user s subject DN> in the associated field. Then click Search. Alternatively, in the Advanced search, specify the return columns in the first text area, and WHERE CLIENTID = <user s subject DN> in the second text area. Then click Search. To search the Tomcat logs: Audit Trails, Tomcat item in the left-hand action menu. Initially, the default date range is today. Change the range if needed. Then, click Search. The files generated from the specified date range will be displayed. Select the desired file and click View Selected. The content of the file will be displayed in a popup window. Alternatively, click Export Selected to File to download the selected log file to a file. 13 Managing Auditable Events 9 Events are categorized by event type: ACL, audit, CA account, credential, database, DBAccess, , job, login, NIAP, PIN, system, and TLS session. By default, all events are recorded. Administrator can select the desired event type of the events to be audited. To manage the auditable events: Audit Trails, Configure item in the left-hand action menu. icon in the CertAgent Admin Site section. Check the desired event type to be audited. Then, click Update. To allow auditor to view the Tomcat events: Audit Trails, Configure item in the left-hand action menu. icon in the Tomcat section. 9 Requires the admin permission. 26

27 Check Allow Auditor to view the Tomcat events from this site. Then, click Update. 12 Using Help Click Help to open the online help system in a new window. 13 Logging Out Click Log Out when you have finished working with the site and wish to terminate your CertAgent session. 27

28 3 Certificate Authorities 1 Logging in to a CA account To log in to a CA account: Launch Internet Explorer and enter the following URL in its address bar: port>/certagentadmin/ca/login.jsp Be sure to replace <host> and <admin port> with the appropriate system name (or IP address) and SSL port of your CertAgent webserver. Select your certificate in the Windows Security dialog to authenticate yourself to the webserver and click OK. If you are authorized to access multiple accounts, select an account from the drop-down list. Otherwise, you will be logged in to your account automatically. For more information on how to manage the CA administrative site, please refer to its on-line help pages: port>/certagentadmin/ca/help.html 28

29 4 Public Site 4.1 Viewing the Public Site To view the public site, launch Internet Explorer and enter the following URL in its address bar: port>/certagent/main.jsp Be sure to replace [host] and [SSL port> with the appropriate system name (or IP address) and SSL port of your CertAgent webserver. For more information on the public site usage, please refer to its online help pages: port>/certagent/help.html 29