www.bonsaiframework.com
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

Overview of a PKI

Minimal parts of the PKI

  • CA
    • Entrust Authority Security Manager 7.1 SP3
    • Security Manager database
  • LDAP compliant Directory

Additionally we use,

  • Roaming Server
  • SMA (Security Manager Administration) Client

Much of this material comes form Security Manager 8.1 Deployment Guide document issue 3.0.

Security Manager

Security Manager is the CA (Certificate Authority). The main functions of the Security Manager are to,

  • Create certificates for all public keys.
  • Create encryption key pairs for users.
  • Manage a secure database of information that allows for recovery of users' encryption key pairs
  • Enforce defined security policies.

Security Manager Control Command Shell allows Masters Users to administer and monitor Security Manager.

Security Manager has 8 subsystems to handle requests from its own components and PKI-enabled products,

Communication

  • Public-Key Infrastructure X.509 - Certificate Management Protocal (PKIX-CMP) subsystem - manage keys and defaults to 2 processes
  • Entrust proto-PKIX (SEP) subsystem - Entrust proprietary and handles requests from apps such as Entrust Authority Enrollment Server for Web, 2 processes, can safely disable if not using
    Prior to Security Manager 8.1, the Entrust proto-PKIX subsystem handled
    both the proto-PKIX and SEP (Secure Exchange Protocol) protocols. Secure
    Exchange Protocol is no longer supported and the SEP subsystem now only
    supports proto-PKIX.
  • Administration Service Handler (ASH) subsystem - handles requests from SMA, defaults to 4 processes
  • XML Administration Protocol (XAP) subsystem - proprietary and used by clients such as Entrust Admin Services, defaults to 2 processes

Internal Functions

  • Key Generator subsystem
  • Automatic Backup subsystem
  • Database Integrity Check subsystem
  • CRL and Maintenance subsystem

See Security Manager 8.1 Deployment Guide document issue 3.0 for more details.

Security Manager Database

Store information about the PKI users and the infrastructure in the database. SM encrypts and protects data using keys derived from the Master User password. The database is used to,

  • Store the CA signing key pair. Alternatively for higher security a Hawdware Security Module (HSM) can be used instead.
  • Store user status information and DN of each user.
  • Optionally, store the encryption key pair hsitory for all Entrust users.
  • Store the verification public key history and public keys for users (note private keys never leave the user's profile).
  • Store validity periods for user signing key pairs, user encryption key pairs and system cross-certificates.
  • Store Security Officer information
  • Store Entrust Administrator information

Security Manager Directory

The directory has the following functions,

  • Stores CA certificates
  • CRLs
  • Optionally, user information

Starting Services

Services must be started and stopped in the right order.

  • Master Directory and any Directory Shadows
  • Informix Database
  • CA
  • Roaming Server all instances

Start Directory via Management Tool

This is  Shawn's preferred method.

Start the management tool,

odsmgmt

Upon startup of odsmgmt, if there were any errors during shut down you would see them.

Start the service by hitting s,

------------------------------
CP Directory Server Management
------------------------------

Enter the letter for the management operation required:

    (s) Start the directory
    (w) Display directories running
    (l) Display odssched.log
    (e) Report any errors or warnings that occurred
    (c) Clears any errors or warnings that have occurred
    (q) Quit

>s

odssched 10393 started

Verify that the service is working,

>v
pid     inst    action          fails   state   name    options

10394   M       default         0       ok      odsmdsa -d"/var/cpshadow"
10395   0       restart this    0       ok      odssdsa
10396   1       restart this    0       ok      odssdsa
10397   0       restart this    0       ok      odscomms
10398   0       restart this    0       ok      odscommsi
10399   0       default         0       ok      odsshadi
10400   0       restart this    0       ok      odsldap3        -ldap:389 -ldaps:0 -http:0 -https:0 -charsetv2:iso8859-1

Start Directory via Command Line

Primary Directory

Log into CA1.

Start the Critical Path Directory Server as the diradmin user,

su -
su - diradmin
odselog -a       # Check if there were errors before you start
cd /var/cpmaster # You MUST be in the Critical Path Data Directory of the instance you want to start
odsstart

Verify that the service is running properly,

odsmgmt -v
pid     inst    action          fails   state   name    options

6933    M       default         0       ok      odsmdsa -d"/var/cpmaster"
6934    0       restart this    0       ok      odssdsa
6935    1       restart this    0       ok      odssdsa
6936    0       restart this    0       ok      odscomms
6937    0       restart this    0       ok      odscommsi
6938    0       default         0       ok      odsshadi
6939    0       restart this    0       ok      odsldap3        -ldap:1389 -ldaps:0 -http:0 -https:0 -charsetv2:iso8859-1

You can also see the processes,

ps -ef | grep ods
diradmin  6932  1191   0 14:11:41 ?           0:00 odssched
diradmin  6934  6932   0 14:11:41 ?           0:00 odssdsa -I0
diradmin  6936  6932   0 14:11:41 ?           0:00 odscomms -P0 -I0
diradmin  6935  6932   0 14:11:41 ?           0:00 odssdsa -I1
diradmin  6933  6932   0 14:11:41 ?           0:00 odsmdsa -d"/var/cpmaster" -I0
diradmin  6937  6932   0 14:11:41 ?           0:00 odscommsi -P0 -I0
diradmin  6938  6932   0 14:11:41 ?           0:00 odsshadi -I0
    root  6939  6932   0 14:11:41 ?           0:09 odsldap3 -ldap:1389 -ldaps:0 -http:0 -https:0 -charsetv2:iso8859-1 -instanceNum
diradmin  8235  5612   0 14:30:29 pts/2       0:00 grep ods

The primary Critical Path Directory Services is now running.

Shadow Directory

Log into RS1.

Repeat the above steps except the data directory changes from cpmaster to cpshadow,

su -
su - diradmin
odselog -a       # Check if there were errors before you start
cd /var/cpshadow # You MUST be in the Critical Path Data Directory of the instance you want to start
odsstart
odsmgmt -v

Should put instructions here on verifying shadow agreement works. 2 ways, view new Directory entries and see if it replicates or use DAC (Directory Access Center) fat client program.

Informix Database

...

CA

...

Roaming Server

Log into RS3

There is also an extra RS3 to enable Enforced Roaming ID for Admin Services 7.3. This is temporary until Entrust provides a fix to allow AS itself to enforce Roaming IDs.

Stopping Services

...

  • No labels