000022862 - How to give Keon Certificate Authority OneStep access to more than one jurisdiction

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022862
Applies ToRSA Registration Manager 6.6
Sun Solaris 2.8
Keon Certificate Authority OneStep
IssueHow to give Keon Certificate Authority OneStep access to more than one jurisdiction
How to add two Keon Certificate Authority OneStep installations to two Jurisdictions utilized by custom plugin
ResolutionIt is possible to configure one Keon Certificate Authority OneStep installation pointing to different jurisdictions. To do so, modify the LDAP ACL rules.

First, install the first instance of OneStep as you normally would. When approving the OneStep installation certificate, you must apply new ACL rules. This will create a new block like the following in the ACL rules (System Configuration Workbench > LDAP Rules):

# RM admin and scep server access to Target CA operations
# (signing) backend.
access to dn="id=<Jurisdiction ID for the OneStep installation>,md5=<MD5 of your CA>,o=ca,o=services"
        by dn="md5=<MD5 of your OneStep certificate>" write
        ... block of <dn="md5..." write> ...
        by dn=".*" none

To give OneStep access to your second jurisdiction, copy and paste the whole block (as shown above) you created and change the jurisdiction ID and MD5 of the second jurisdiction and it's CA's MD5.

NOTE: By default, OneStep does not support two jurisdictions, so it is up to your custom plugin to manage to which jurisdiction OneStep will request its certificates
Legacy Article IDa31056