www.bonsaiframework.com
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 24 Next »

Overview of a PKI

Minimal parts of the PKI

  • CA
    • Entrust Authority Security Manager 7.1 SP3
    • Security Manager database
  • LDAP compliant Directory

Additionally we use,

  • Roaming Server
  • SMA (Security Manager Administration) Client

Much of this material comes form Security Manager 8.1 Deployment Guide document issue 3.0.

Security Manager

Security Manager is the CA (Certificate Authority). The main functions of the Security Manager are to,

  • Create certificates for all public keys.
  • Create encryption key pairs for users.
  • Manage a secure database of information that allows for recovery of users' encryption key pairs
  • Enforce defined security policies.

Security Manager Control Command Shell allows Masters Users to administer and monitor Security Manager.

Security Manager has 8 subsystems to handle requests from its own components and PKI-enabled products,

Communication

  • Public-Key Infrastructure X.509 - Certificate Management Protocal (PKIX-CMP) subsystem - manage keys and defaults to 2 processes
  • Entrust proto-PKIX (SEP) subsystem - Entrust proprietary and handles requests from apps such as Entrust Authority Enrollment Server for Web, 2 processes, can safely disable if not using
    Prior to Security Manager 8.1, the Entrust proto-PKIX subsystem handled
    both the proto-PKIX and SEP (Secure Exchange Protocol) protocols. Secure
    Exchange Protocol is no longer supported and the SEP subsystem now only
    supports proto-PKIX.
  • Administration Service Handler (ASH) subsystem - handles requests from SMA, defaults to 4 processes
  • XML Administration Protocol (XAP) subsystem - proprietary and used by clients such as Entrust Admin Services, defaults to 2 processes

Internal Functions

  • Key Generator subsystem
  • Automatic Backup subsystem
  • Database Integrity Check subsystem
  • CRL and Maintenance subsystem

See Security Manager 8.1 Deployment Guide document issue 3.0 for more details.

Security Manager Database

Store information about the PKI users and the infrastructure in the database. SM encrypts and protects data using keys derived from the Master User password. The database is used to,

  • Store the CA signing key pair. Alternatively for higher security a Hawdware Security Module (HSM) can be used instead.
  • Store user status information and DN of each user.
  • Optionally, store the encryption key pair hsitory for all Entrust users.
  • Store the verification public key history and public keys for users (note private keys never leave the user's profile).
  • Store validity periods for user signing key pairs, user encryption key pairs and system cross-certificates.
  • Store Security Officer information
  • Store Entrust Administrator information

Security Manager Directory

The directory has the following functions,

  • Stores CA certificates
  • CRLs
  • Optionally, user information
  • No labels