www.bonsaiframework.com
Page tree

Versions Compared

Old Version 1

changes.mady.by.user Tin Pham

Saved on

compared with

New Version Current

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3
Table of Contents

Overview of a PKI

Minimal parts of the PKI

  • CA
    • Entrust Authority Security Manager 7.1 SP3
    • Security Manager database
  • LDAP compliant Directory

Additionally we use,

  • Roaming Server
  • SMA (Security Manager Administration) Client
Info

Much of this material comes form Security Manager 8.1 Deployment Guide document issue 3.0.

Security Manager

Security Manager is the CA (Certificate Authority). The main functions of the Security Manager are to,

  • Create certificates for all public keys.
  • Create encryption key pairs for users.
  • Manage a secure database of information that allows for recovery of users' encryption key pairs
  • Enforce defined security policies.

Security Manager Control Command Shell allows Masters Users to administer and monitor Security Manager.

Security Manager has 8 subsystems to handle requests from its own components and PKI-enabled products,

Communication

  • Public-Key Infrastructure X.509 - Certificate Management Protocal (PKIX-CMP) subsystem - manage keys and defaults to 2 processes
  • Entrust proto-PKIX (SEP) subsystem - Entrust proprietary and handles requests from apps such as Entrust Authority Enrollment Server for Web, 2 processes, can safely disable if not using
    Prior to Security Manager 8.1, the Entrust proto-PKIX subsystem handled
    both the proto-PKIX and SEP (Secure Exchange Protocol) protocols. Secure
    Exchange Protocol is no longer supported and the SEP subsystem now only
    supports proto-PKIX.
  • Administration Service Handler (ASH) subsystem - handles requests from SMA, defaults to 4 processes
  • XML Administration Protocol (XAP) subsystem - proprietary and used by clients such as Entrust Admin Services, defaults to 2 processes

Internal Functions

  • Key Generator subsystem
  • Automatic Backup subsystem
  • Database Integrity Check subsystem
  • CRL and Maintenance subsystem

See Security Manager 8.1 Deployment Guide document issue 3.0 for more details.

Security Manager Database

Store information about the PKI users and the infrastructure in the database. SM encrypts and protects data using keys derived from the Master User password. The database is used to,

  • Store the CA signing key pair. Alternatively for higher security a Hawdware Security Module (HSM) can be used instead.
  • Store user status information and DN of each user.
  • Optionally, store the encryption key pair hsitory for all Entrust users.
  • Store the verification public key history and public keys for users (note private keys never leave the user's profile).
  • Store validity periods for user signing key pairs, user encryption key pairs and system cross-certificates.
  • Store Security Officer information
  • Store Entrust Administrator information

Security Manager Directory

The directory has the following functions,

  • Stores CA certificates
  • CRLs
  • Optionally, user information

Starting Services

Services must be started and stopped in the right order.

  • Master Directory and any Directory Shadows
  • Informix Database
  • CA (Security Manager)
  • Roaming Server all instances

...

Note

Alternatively, there is another command startstop.sh That will start both the Informix Database and the CA.

Please note that you must import environment settings before running the scripts. . ./env_settings.sh

Log into CA1,

Code Block
languagebash
su -
su - master
oninit -v # Start Informix

...

Code Block
languagebash
onstat -

IBM Informix Dynamic Server Version 9.40.UC9     -- On-Line -- Up 00:01:56 -- 33792 Kbytes

CA (Security Manager)

Log into CA1.

Using entsh is Shawn's preferred method of starting the CA. You must be a master user.

...

Code Block
login
Master User Name: Master2Master1
Password:
You are logged in to Security Manager Control
ou=CA200,o=e-Scotia.com,c=CA.Master2Master1 $

Start the actuall actually service subsystems,

Code Block
ou=CA200,o=e-Scotia.com,c=CA.Master2Master1 $ service start
ou=CA200,o=e-Scotia.com,c=CA.Master2Master1 $ service status
sep     Entrust SEP               enabled  up  2 processes
keygen  Key Generator             enabled  up  1 processes
backup  Automatic Backup          enabled  up  1 processes
integ   Database Integrity Check  enabled  up  1 processes
amb     CRL and Maintenance       enabled  up  1 processes
ash     Admin Service Handler     enabled  up  8 processes
cmp     PKIX-CMP                  enabled  up  2 processes
xap     XML Admin Protocol        enabled  up  2 processes

...

Code Block
languagebash
su - svradm
cd /opt/roamingserver_URS
./entroamsrv.sh start
Starting Entrust roaming server...  Done

Stopping Services

...

Diagnostics

Database Integrity Check

If there are alerts around the database log into entsh as a master use,

Code Block
languagebash
ou=CA200,o=e-Scotia.com,c=CA.Master1 $ db integrity
Syntax: db integrity validate | query | { config -timer <period> <notbefore> <notafter> }
Description: perform, query or configure automatic integrity check
ou=CA200,o=e-Scotia.com,c=CA.Master1 $ db integrity validate
66% complete. Estimated time remaining 00:06:32 @ (852.7/s) \
100% complete. Estimated time remaining 00:00:00 |   374.2/s) \
Database integrity validation completed successfully.