Table of Contents |
---|
Overview of a PKI
Minimal parts of the PKI
- CA
- Entrust Authority Security Manager 7.1 SP3
- Security Manager database
- LDAP compliant Directory
Additionally we use,
- Roaming Server
- SMA (Security Manager Administration) Client
Info |
---|
Much of this material comes form Security Manager 8.1 Deployment Guide document issue 3.0. |
Security Manager
Security Manager is the CA (Certificate Authority). The main functions of the Security Manager are to,
- Create certificates for all public keys.
- Create encryption key pairs for users.
- Manage a secure database of information that allows for recovery of users' encryption key pairs
- Enforce defined security policies.
Security Manager Control Command Shell allows Masters Users to administer and monitor Security Manager.
Security Manager has 8 subsystems to handle requests from its own components and PKI-enabled products,
Communication
- Public-Key Infrastructure X.509 - Certificate Management Protocal (PKIX-CMP) subsystem - manage keys and defaults to 2 processes
- Entrust proto-PKIX (SEP) subsystem - Entrust proprietary and handles requests from apps such as Entrust Authority Enrollment Server for Web, 2 processes, can safely disable if not using
Prior to Security Manager 8.1, the Entrust proto-PKIX subsystem handled
both the proto-PKIX and SEP (Secure Exchange Protocol) protocols. Secure
Exchange Protocol is no longer supported and the SEP subsystem now only
supports proto-PKIX. - Administration Service Handler (ASH) subsystem - handles requests from SMA, defaults to 4 processes
- XML Administration Protocol (XAP) subsystem - proprietary and used by clients such as Entrust Admin Services, defaults to 2 processes
Internal Functions
- Key Generator subsystem
- Automatic Backup subsystem
- Database Integrity Check subsystem
- CRL and Maintenance subsystem
See Security Manager 8.1 Deployment Guide document issue 3.0 for more details.
Security Manager Database
Store information about the PKI users and the infrastructure in the database. SM encrypts and protects data using keys derived from the Master User password. The database is used to,
- Store the CA signing key pair. Alternatively for higher security a Hawdware Security Module (HSM) can be used instead.
- Store user status information and DN of each user.
- Optionally, store the encryption key pair hsitory for all Entrust users.
- Store the verification public key history and public keys for users (note private keys never leave the user's profile).
- Store validity periods for user signing key pairs, user encryption key pairs and system cross-certificates.
- Store Security Officer information
- Store Entrust Administrator information
Security Manager Directory
The directory has the following functions,
- Stores CA certificates
- CRLs
- Optionally, user information
Starting Services
Services must be started and stopped in the right order.
- Master Directory and any Directory Shadows
- Informix Database
- CA (Security Manager)
- Roaming Server all instances
...
Note |
---|
Alternatively, there is another command startstop.sh That will start both the Informix Database and the CA. |
Please note that you must import environment settings before running the scripts. . ./env_settings.sh
Log into CA1,
Code Block | ||
---|---|---|
| ||
su - su - master oninit -v # Start Informix |
...
Code Block | ||
---|---|---|
| ||
onstat - IBM Informix Dynamic Server Version 9.40.UC9 -- On-Line -- Up 00:01:56 -- 33792 Kbytes |
CA (Security Manager)
Log into CA1.
Using entsh is Shawn's preferred method of starting the CA. You must be a master user.
...
Code Block |
---|
login Master User Name: Master2Master1 Password: You are logged in to Security Manager Control ou=CA200,o=e-Scotia.com,c=CA.Master2Master1 $ |
Start the actuall actually service subsystems,
Code Block |
---|
ou=CA200,o=e-Scotia.com,c=CA.Master2Master1 $ service start ou=CA200,o=e-Scotia.com,c=CA.Master2Master1 $ service status sep Entrust SEP enabled up 2 processes keygen Key Generator enabled up 1 processes backup Automatic Backup enabled up 1 processes integ Database Integrity Check enabled up 1 processes amb CRL and Maintenance enabled up 1 processes ash Admin Service Handler enabled up 8 processes cmp PKIX-CMP enabled up 2 processes xap XML Admin Protocol enabled up 2 processes |
...
Code Block | ||
---|---|---|
| ||
su - svradm cd /opt/roamingserver_URS ./entroamsrv.sh start Starting Entrust roaming server... Done |
Stopping Services
...
Diagnostics
Database Integrity Check
If there are alerts around the database log into entsh as a master use,
Code Block | ||
---|---|---|
| ||
ou=CA200,o=e-Scotia.com,c=CA.Master1 $ db integrity
Syntax: db integrity validate | query | { config -timer <period> <notbefore> <notafter> }
Description: perform, query or configure automatic integrity check
ou=CA200,o=e-Scotia.com,c=CA.Master1 $ db integrity validate
66% complete. Estimated time remaining 00:06:32 @ (852.7/s) \
100% complete. Estimated time remaining 00:00:00 | 374.2/s) \
Database integrity validation completed successfully. |