000018894 - How to do automatic vetting of certificate requests for Sentry RA

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018894
Applies ToSentry RA 4.0
TechNote 0223
IssueHow to do automatic vetting of certificate requests for Sentry RA
ResolutionThe purpose of this solution is to guide the CA/RA administrators in how to implement the automatic vetting of certificate requests under Sentry RA 4.0.

The automatic vetting of certificate request refers to the signing of certificates without administrator intervention, and the subsequent automatic download of certificates into client browsers.

You must change both CA and RA's LDAP ACL rules that determine the access to the "request queue" by the RA enrollment client using the "Modify LDAP ACL Rules" function. You must also use the automatic vetting templates provided.

Remember, when setting LDAP ACL rules the order of the rules is critical.

Solution:

1. Modify the RA's LDAP ACL Rules
  a. Determine the md5 of RA admin and enrollment client.
     This can be found at the end of the LDAP ACL rules in the rule that allows writing to the request queue:
        access to dn="dn=request_queue"
               by dn="md5=<ra-admin-client-md5>" write
               by dn="md5=<ra-enrollment-client-md5>" write
       
     (after installation, the first one is always the admin client,  the second one is always the enrollment client).

  b. The RA enrollment client needs access to xuda_certificate objectclass for automatic vetting to work.
   
     Find the section which controls access to xuda_certificate objectclass.  It looks like this:

        access to filter="objectclass=xuda_certificate"
               by dn="md5=<ra-admin-client-md5>" write
               by dn=".*" read

     Modify the above ACL into:

        access to filter="objectclass=xuda_certificate"
               by dn="md5=<ra-admin-client-md5>" write
               by dn="md5=<ra-enrollment-client-md5>" write
               by dn=".*" read

   c. Save this modification to ACL database.

2. Modify the Target CA's LDAP ACL Rules

  a. The RA enrollment client needs access to the target CA's request_queue.

     Find the section which controls access to the target CA's request_queue objectclass.  It looks like:

        access to dn="dn=request_queue"
               by dn="md5=<ca-admin-server-md5>" write
               by dn="md5=<ca-enrollment-server-md5>" write
               by dn="md5=<dss-enrollment-server-md5>" write
               by dn="md5=<ra-admin-client-md5>"write
               by dn="xcert_products" write
               by dn=".*" none

     Modify the above ACL into:

        access to dn="dn=request_queue"
               by dn="md5=<ca-admin-server-md5>" write
               by dn="md5=<ca-enrollment-server-md5>" write
               by dn="md5=<ca-dss-enrollment-server-md5>" write
               by dn="md5=<ra-admin-client-md5>"write
               by dn="md5=<ra-enrollment-client-md5>" write
               by dn="xcert_products" write
               by dn=".*" none

   b. The RA enrollment client also needs access to the target CA's signing backend.

      Find the related section which looks like:

         access to dn="md5=<target-CA-md5>,o=ca,o=services"
                by dn="md5=<ca-admin-server-md5>" write
                by dn="md5=<ra-admin-client-md5>" write
                by dn="xcert_products" write
                by dn=".*" none

      Modify it into:

         access to dn="md5=<target-CA-md5>,o=ca,o=services"
                by dn="md5=<ca-admin-server-md5>" write
                by dn="md5=<ra-admin-client-md5>" write
                by dn="md5=<ra-enrollment-client-md5>" write
                by dn="xcert_products" write
                by dn=".*" none

  c. Save above modifications to CA's ACL database.

3. Set up the automatic vetting templates

  Obtain the autovetting templates for the RA from the URL: https://knowledge.rsasecurity.com/docs/utilities/ra_autovet40.zip

  a. Unzip the zip file and you will get the following four xuda files:

       ra-request-spk.xuda       ra-add-spk-request.xuda
       ra-request-msie.xuda      ra-add-msie-request.xuda
       
  b. Copy these files under <installed-RA-dir>\webServer\enroll-server
     
  c. If you want RA to vet certificate requests both manually and automatically, you can follow the following procedure:

     i. Open the file index.xuda in the enrollment server sub-directory.     

    ii. Find the two lines which looks like:
        
       and
        


   iii. Modify them into:
        

       and
        

   
    iv. Save the file as another name which you prefer.  (e.g. ra-autovet-index.xuda)
    
     v. Tell your users who need their certificate requests vetted automatically to browse the RA enrollment server by using:

        https://<ra_hostname>:<ra_enroll_port>/ra-autovet-index.xuda

  d. If you want to make your RA vet ALL certificate requests automatically, you can just follow the above step i, ii and iii, then save and replace the file, which will direct the users into the auto-vetting templates.
     
     Note: You may need to change the file permission to achieve this step. Make sure change its file permission back to "Read-only" after finishing the modification.


Additional Notes:

- TTL (time to live) should be set to the number of days that you  want the certificates to be valid for.  You can modify the value for TTL in ra-add-msie-request.xuda or ra-add-spk-request.xuda.

- To allow auto-vetting of a LUNA based CA or any CA for which a passphrase is used, you must ensure that either:
     a.) The PIN is automatically provided at startup using the "setpin" directive.
   or
     b.) The correct PIN is entered at startup time.

- If you are using Netscape Navigator as the client browser, after clicking the "Submit" button, once the process is done, the certificate is downloaded into your browser directly.  You can check it by going to Security --> Certificate --> Your.

 If you are using MSIE as the client browser, after clicking the  "Submit" button, once the process is done, you will have to click the "Install" button to install the certificate into your browser.

Legacy Article IDa4068

Attachments

    Outcomes