Overview of a PKI
Minimal parts of the PKI
- CA
- Entrust Authority Security Manager 7.1 SP3
- Security Manager database
- LDAP compliant Directory
Additionally we use,
- Roaming Server
- SMA (Security Manager Administration) Client
Much of this material comes form Security Manager 8.1 Deployment Guide document issue 3.0.
Security Manager
Security Manager is the CA (Certificate Authority). The main functions of the Security Manager are to,
- Create certificates for all public keys.
- Create encryption key pairs for users.
- Manage a secure database of information that allows for recovery of users' encryption key pairs
- Enforce defined security policies.
Security Manager Control Command Shell allows Masters Users to administer and monitor Security Manager.
Security Manager has 8 subsystems to handle requests from its own components and PKI-enabled products,
Communication
- Public-Key Infrastructure X.509 - Certificate Management Protocal (PKIX-CMP) subsystem - manage keys and defaults to 2 processes
- Entrust proto-PKIX (SEP) subsystem - Entrust proprietary and handles requests from apps such as Entrust Authority Enrollment Server for Web, 2 processes, can safely disable if not using
Prior to Security Manager 8.1, the Entrust proto-PKIX subsystem handled
both the proto-PKIX and SEP (Secure Exchange Protocol) protocols. Secure
Exchange Protocol is no longer supported and the SEP subsystem now only
supports proto-PKIX. - Administration Service Handler (ASH) subsystem - handles requests from SMA, defaults to 4 processes
- XML Administration Protocol (XAP) subsystem - proprietary and used by clients such as Entrust Admin Services, defaults to 2 processes
Internal Functions
- Key Generator subsystem
- Automatic Backup subsystem
- Database Integrity Check subsystem
- CRL and Maintenance subsystem
See Security Manager 8.1 Deployment Guide document issue 3.0 for more details.
Security Manager Database
Store information about the PKI users and the infrastructure in the database. SM encrypts and protects data using keys derived from the Master User password. The database is used to,
- Store the CA signing key pair. Alternatively for higher security a Hawdware Security Module (HSM) can be used instead.
- Store user status information and DN of each user.
- Optionally, store the encryption key pair hsitory for all Entrust users.
- Store the verification public key history and public keys for users (note private keys never leave the user's profile).
- Store validity periods for user signing key pairs, user encryption key pairs and system cross-certificates.
- Store Security Officer information
- Store Entrust Administrator information
Security Manager Directory
The directory has the following functions,
- Stores CA certificates
- CRLs
- Optionally, user information
Starting Services
Services must be started and stopped in the right order.
- Master Directory and any Directory Shadows
- Informix Database
- CA
- Roaming Server all instances
Start Directory via Management Tool
This is Shawn's preferred method.
Start the management tool,
odsmgmt
Upon startup of odsmgmt, if there were any errors during shut down you would see them.
Start the service by hitting s,
------------------------------ CP Directory Server Management ------------------------------ Enter the letter for the management operation required: (s) Start the directory (w) Display directories running (l) Display odssched.log (e) Report any errors or warnings that occurred (c) Clears any errors or warnings that have occurred (q) Quit >s odssched 10393 started
Verify that the service is working,
>v pid inst action fails state name options 10394 M default 0 ok odsmdsa -d"/var/cpshadow" 10395 0 restart this 0 ok odssdsa 10396 1 restart this 0 ok odssdsa 10397 0 restart this 0 ok odscomms 10398 0 restart this 0 ok odscommsi 10399 0 default 0 ok odsshadi 10400 0 restart this 0 ok odsldap3 -ldap:389 -ldaps:0 -http:0 -https:0 -charsetv2:iso8859-1
Start Directory via Command Line
Primary Directory
Log into CA1.
Start the Critical Path Directory Server as the diradmin user,
su - su - diradmin odselog -a # Check if there were errors before you start cd /var/cpmaster # You MUST be in the Critical Path Data Directory of the instance you want to start odsstart
Verify that the service is running properly,
odsmgmt -v pid inst action fails state name options 6933 M default 0 ok odsmdsa -d"/var/cpmaster" 6934 0 restart this 0 ok odssdsa 6935 1 restart this 0 ok odssdsa 6936 0 restart this 0 ok odscomms 6937 0 restart this 0 ok odscommsi 6938 0 default 0 ok odsshadi 6939 0 restart this 0 ok odsldap3 -ldap:1389 -ldaps:0 -http:0 -https:0 -charsetv2:iso8859-1
You can also see the processes,
The primary Critical Path Directory Services is now running.
Shadow Directory
Log into RS1.
Repeat the above steps except the data directory changes from cpmaster to cpshadow,
su - su - diradmin odselog -a # Check if there were errors before you start cd /var/cpshadow # You MUST be in the Critical Path Data Directory of the instance you want to start odsstart odsmgmt -v
Should put instructions here on verifying shadow agreement works. 2 ways, view new Directory entries and see if it replicates or use DAC (Directory Access Center) fat client program.
Informix Database
...
CA
...
Roaming Server
Log into RS3
There is also an extra RS3 to enable Enforced Roaming ID for Admin Services 7.3. This is temporary until Entrust provides a fix to allow AS itself to enforce Roaming IDs.
Stopping Services
...