000018816 - To allow automatic vetting of certificate request for Sentry CA 3.5 and later.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018816
Applies ToSentry CA 3.5 and later
TechNote 0088
IssueTo allow automatic vetting of certificate request for Sentry CA 3.5 and later.
ResolutionSentry CA can allow signing of certificates without administrator intervention (without putting requests into a request queue and then manually signing them). You must simply change the LDAP ACL rules that determine the access to the database by the enrollment server using the 'Modify LDAP ACL Rules' function, and then putting the automatic vetting templates in place.

Note that you do not need to change the LDAP ACL rules if you are doing automatic vetting via the administrative webserver. These rule changes allow the enrollment webserver to have access to the items required for automatic vetting of the certificate requests.

Remember when setting LDAP ACL rules, the order of the rules is critical to producing the correct effect.

1. Determine the md5 of your administration and enrollment server.
   This can be found at the end of the LDAP ACL rules in the rule that allows writing to the request queue:
                access to dn="dn=request_queue"
                       by dn="md5=<administration-server-md5>" write
                       by dn="md5=<enrollment-server-md5>" write
                       by dn="md5=<dss-enrollment-server-md5>" write

(After installation, the first one is always the admin server, the second one is always the enrollment server, and the third is always the DSS-based enrollment server (port 445)).

If you want to limit which CA can be automatically vetted, you will also need the md5 for each CA that you want to do automatic signing for. This can be viewed by looking at each CA of interest using the 'View existing CA' function. (If you want to allow automatic vetting for all CAs you do not need to find their md5s.)

2. The enrollment server needs access to the Signing Backend for automatic vetting to work. Access to the Signing Backend is controlled by the LDAP ACL Rules. Edit the LDAP ACL Rules as follows to give appropriate access:
      Two choices: a. allow access to all CAs
                          b. allow access only for specific CA
      Please follow instructions in either 2a or 2b as appropriate.

   a. Modify LDAP ACL rules to allow autovetting access to all CAs

   Find the section which controls access to the Signing Backend.
   It looks like this:
        #
        # Admin server has write access to the CA operations (signing)
        # backend -- access is denied to all other clients.
        #
        access to dn="o=ca,o=services"
                    by dn="md5=12345678901234567890123456789012" write
                    by dn=".*" none

   Add the enrollment server's md5 to the list of allowed DNs above the final
   line as shown below.

         #
        # Admin server has write access to the CA operations (signing)
        # backend -- access is denied to all other clients.
        #
        access to dn="o=ca,o=services"
                    by dn="md5=12345678901234567890123456789012" write
                    by dn="md5=<enrollment-server-md5>" write
                    by dn=".*" none

    - - - OR - - -

  b.Modify LDAP ACL rules to allow access only to specific CA

  Add the following lines above the existing signing backend ACL Rule:

        #
        # Admin server and enrollment server have write access to the
        # CA operations (signing) backend for this particular CA --
        # access is denied to all other clients.
        #
        access to dn="<CA_md5>,o=ca,o=services"
                     by dn="md5=12345678901234567890123456789012" write
                     by dn="md5=<enrollment-server-md5>" write
                     by dn=".*" none

       Where <CA_md5> is the md5 of the CA you want the enrollment server to
       be able to handle automatic vetting for. Make one of these rules for each CA
       you want the enrollment server to handle automatic vetting for.

  When finished, your rules should look as follows:

        #
        # Admin server and enrollment server have write access to the
        # CA operations (signing) backend for this particular CA --
        # access is denied to all other clients.
        #
        access to dn="<CA_md5>,o=ca,o=services"
                     by dn="md5=12345678901234567890123456789012" write
                     by dn="md5=<enrollment-server-md5>" write
                     by dn=".*" none

             <repeat for each CA you wish to have autovetting for>

       #
       # Admin server has write access to the CA operations (signing)
       # backend -- access is denied to all other clients.
       #

       access to dn="o=ca,o=services"
                     by dn="md5=12345678901234567890123456789012" write
                     by dn=".*" none

3. Set up the auto-signing pages.
To make these templates accessible from your enrollment webserver, put these templates into the enroll-server subdirectory where you installed Sentry CA.

   For Netscape 4.x browsers:
       Use auto-request-spk.xuda and auto-add-spk-request.xuda
   For MSIE 4.x and 5.x browsers:
       Use auto-request-msie.xuda and auto-add-msie-request.xuda

   You may pick up a sample copy of the xuda templates from:

   For Sentry CA 3.5: autovet35.zip

   For Sentry CA 3.6: autovet36.zip

   For Sentry CA 3.7: autovet37.zip

   For Sentry CA 4.0: autovet40.zip

4. Stop and restart all services.


Additional notes:

- TTL (time to live) should be set to the number of days that you want the certificates to be valid for. You can modify the value for TTL in auto-add-msie-request.xuda or auto-add-spk-request.xuda.

- To allow auto-vetting of a LUNA based CA or any CA for which a passphrase is used, you must ensure that either:
      a) The PIN is automatically provided at startup using the "setpin" directive.
 or
      b) The correct PIN is entered at startup time.

- To reach the autovetting templates from the enrollment page, either add a link to auto-request-spk.xuda and auto-request-msie.xuda from index.xuda in the enroll-server directory. Or if all CAs will be auto-vetted, rename the two templates to request-spk.xuda and request-msie.xuda.
To allow automatic vetting of certificate request for the Sentry CA versions later than 4.0 and Keon CA 5.7, refer to Sentry/Keon CA Administrator's Guide, the "Automatic Vetting of Certificate Requests Submitted via the Enrollment Server" section in Chapter 3 for detailed instructions.
Legacy Article IDa3638

Attachments

    Outcomes