public key infrastructurepublib.boulder.ibm.com/tividd/td/pki/sh09-4530-02/... · several steps,...

Tivoli®

SecureWay®

Public KeyInfrastructureRegistration Authority Desktop GuideVersion 3 Release 7.0 SH09-4530-02

Note!Before using this information and the product it supports, read the general information under “Notices” on page 47.

Third Edition (November 2000)

This edition applies to IBM SecureWay Trust Authority, program 5648-D09, version 3 release 7 modification 0, and toall subsequent releases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 1999, 2000. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Chapter 1. About Trust Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 3. How do I...? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Become a registrar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Enable a browser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Access the enrollment Web page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Request a browser certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Check on enrollment status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Get authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Install the RA Desktop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Reconfigure the RA Desktop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Access the RA Desktop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Work with queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Submit a query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Retrieve pending certificate requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Retrieve pending key recovery requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Retrieve expiring certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Select a date from the calendar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Set a retrieval limit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Set the number of records per page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Get feedback during processing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Work with results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

View query results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

View results on multiple pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Display details of an item. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

View item attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

View an action history. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Move between tabs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Resize a table column. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Sort table rows by a column. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Select records in a table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Take action. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Act on multiple records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Act on an individual record. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Change an attribute value. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Change a validity period. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

iiiPublic Key Infrastructure RA Desktop Guide

||

Specify a request profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Add a comment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Approve a request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Approve a key recovery request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Keep a request in pending status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Reject a request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Reject a key recovery request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Change renewability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Suspend a certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Revoke a certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Resume a certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Publish a certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Check permissions for the domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Exit the RA Desktop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Uninstall the RA Desktop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 4. Tell me about... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Enrollment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Preregistration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Web browser support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Registration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Business policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Registration authorities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Registration databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Registration domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Registration records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Record Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Certificate authorities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Certificate revocation lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Distinguished names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Browser certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

CA certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Server or device certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Certificate extensions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Certificate life cycles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Certificate suspend and resume. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

iv Version 3 Release 7.0

||

||

||

||

||

||

Renewability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Certificate key backup and recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Publishing certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Access control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Authentication and authorization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Concurrent administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

RA Desktop support servlet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Request profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Chapter 5. Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Query tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Query fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Predefined queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Retrieval limit options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Records per page options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Results tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Administrative actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Reasons for revoking a certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Details tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Action history events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Attributes of requests and certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Certificate extensions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Supplied certificate types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Detail groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Status of enrollment requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Help for tabs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

JVM for Internet Explorer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Keyboard alternatives to the mouse. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Trademarks and service marks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Related information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

vPublic Key Infrastructure RA Desktop Guide

||

||

||

vi Version 3 Release 7.0

About Trust Authority

IBM®

SecureWay®

Trust Authority provides applications with the means to authenticate usersand ensure trusted communications:

¶ It allows organizations to issue, publish, and administer digital certificates in accordancewith their registration and certification policies.

¶ Support for Public Key Infrastructure for X.509 version 3 (PKIX) and Common DataSecurity Architecture (CDSA) cryptographic standards allows for vendor interoperability.

¶ Digital signing and secure protocols provide the means to authenticate all parties in atransaction.

¶ Browser- and client-based registration capabilities provide maximum flexibility.

¶ Encrypted communications and secure storage of registration information help ensureconfidentiality.

A Trust Authority system can run on IBM® AIX/6000®

and Microsoft® Windows NT® serverplatforms. It includes the following key features:

¶ A trusted Certificate Authority (CA) manages the life cycle of digital certification. Tovouch for the authenticity of a certificate, the CA digitally signs each one it issues. Italso signs certificate revocation lists (CRLs) to vouch for the fact that a certificate is nolonger valid. To further protect its signing key, you can use cryptographic hardware,such as the IBM SecureWay® 4758 PCI Cryptographic Coprocessor.

¶ A Registration Authority (RA) handles the administrative tasks behind user registration.The RA provides that only certificates that support your business activities are issued,and that they are issued only to authorized users. The administrative tasks can behandled through automated processes or human decision-making.

¶ A Web-based enrollment interface makes it easy to obtain certificates for browsers,servers, and other purposes, such as virtual private network (VPN) devices, smart cards,and secure e-mail.

¶ A Windows® application, the Trust Authority Client, enables end users to obtain andmanage certificates without using a Web browser.

¶ A Web-based administration interface, the RA Desktop, enables authorized registrars toapprove or reject enrollment requests and administer certificates after they have beenissued.

¶ An Audit subsystem computes a message authentication code (MAC) for each auditrecord. If audit data is altered or deleted after it has been written to the audit database,the MAC enables you to detect the intrusion.

¶ Policy exits enable application developers to customize the registration processes.

1

1Public Key Infrastructure RA Desktop Guide

1.A

boutTrustA

uthority

¶ Integrated support for a cryptographic engine. To authenticate communications, the coreTrust Authority components are signed with a factory-generated private key. Securityobjects, such as keys and MACs, are encrypted and stored in protected areas calledKeyStores.

¶ Integrated support for IBM SecureWay Directory. The Directory stores information aboutvalid and revoked certificates in an LDAP-compliant format.

¶ Integrated support for IBM WebSphere™

Application Server and IBM HTTP Server. TheWeb server works with the RA server to encrypt messages, authenticate requests, andtransfer certificates to the intended recipient.

¶ Integrated support for the award-winning IBM DB2®

Universal Database.

2 Version 3 Release 7.0

Overview

When an organization has secure applications protected by Trust Authority, only users withthe proper credentials can access those applications. Someone who wants a credential, suchas a digital certificate, can request it by providing appropriate information. Data in theenrollment request is the basis for the decision to approve the request or reject it. If anenrollment request is approved, the Trust Authority Registration Authority (RA) processesthe request, and the Trust Authority Certificate Authority (CA) issues the certificate. Recordsof enrollment requests and certificates reside in an encrypted registration database.

Evaluating enrollment requests and administering these records is an administrative task.Sometimes your organization configures Trust Authority to automate parts of these tasks, anda program evaluates the registration data. Other times an registrar like you makes all thejudgments.

The Trust Authority Registration Authority Desktop (RA Desktop) is a graphical userinterface (GUI) for handling enrollment requests and managing the resulting records. Itsupports your tasks as an registrar, such as:

¶ Evaluating enrollment requests that are pending, to approve or reject them

¶ Preparing queries to retrieve records of certificates of a particular type or that belong tospecific users

¶ Reviewing the details of a record

¶ Setting the validity period of a certificate

¶ Taking action to change the status of a certificate or enrollment request

¶ Annotating a record to explain the reason for an action

¶ Granting certificate private key recovery requests from backed-up PKCS #12 files

The RA Desktop is a secure applet. To use it, you must have authority to do specific tasks,and you must be authenticated by presenting the proper digital certificate.

Related topics:

“Become a registrar” on page 5“Access the RA Desktop” on page 10

2


|

2.O

verview

How do I...?

The topics in this section provide step-by-step directions for your tasks as a registrar, suchas:

¶ Preparing your browser and installing the RA Desktop

¶ Getting your browser certificate and authorization to be a registrar

¶ Querying the registration database to work with requests and certificates

Become a registrarBefore you can access the RA Desktop to administer certificates and requests for certificates,you must be enrolled as an authorized Trust Authority registrar. This process involvesseveral steps, some of which must be handled by a system administrator.

This section describes preliminary tasks you need to complete before you can use the RADesktop:

__ Step 1. One user, typically a system administrator, must follow the procedures in theSystem Administration Guideto add the first registrar to the system.

__ Step 2. Set up your Web browser so that it can run the RA Desktop.

__ Step 3. Access the Trust Authority enrollment Web page to obtain the necessarycertification.

__ Step 4. Request a CA certificate, and then a browser certificate, for your Web browser.Your organization should provide guidance about the type of browser certificateyou should select to install and the name of the registration domain that you arebeing authorized to administer.

__ Step 5. Check on the enrollment status and confirm that the certificate was installed.

__ Step 6. After the certificate has been issued, you must request authorization to work as aregistrar. Communicate a request to the first authorized registrar, and provide thisuser with the request ID that was returned to you after you submitted yourrequest for a certificate.

__ Step 7. The first registrar must follow the procedures in theSystem Administration Guideto authorize you as a new registrar.

__ Step 8. After receiving confirmation that you have been enrolled as a registrar, install theRA Desktop.

If you later need to change the default browser you set during installation, or ifyou need to change the RA Server’s URL, you can reconfigure the RA Desktop.

3


3.H

owdo

I...?

Enable a browserBefore enabling a browser, make sure that your machine meets the following requirementsfor running the RA Desktop:

¶ An Intel Pentium® processor with at least 64 MB of RAM, or better.

¶ A computer display that supports VGA resolution, or better.

¶ The Microsoft Windows 95, 98, or NT operating system.

To enable a Web browser for the RA Desktop:

1. Install one of the supported Web browsers:

¶ Netscape Navigator or Communicator, release 4.51 or later and AIX® on with DCEAttributes, Netscape Navigator or Communicator, release 4.7

¶ Microsoft Internet Explorer, release 5.0.

With Internet Explorer, you must have Java Virtual Machine (JVM), release 5.00,build 3167 or later. “JVM for Internet Explorer” on page 43 describes how todetermine which release of JVM you are running, and how to upgrade if necessary.

Note: You must install the official version of the product, distributed by Netscape orMicrosoft. Versions from third-party vendors may not display informationcorrectly, especially when you run the applet in a language other than English.

2. Alter your Web browser:

¶ In Netscape, open thePreferencesmenu to enable Java.

¶ In Internet Explorer, open theOptions menu to enable Java.

Note: The latest information about RA Desktop applet requirements is available in theReadmefile. The Readmefile is available at the IBM SecureWay Trust AuthorityWeb site:http://www.tivoli.com/support

Access the enrollment Web pageTo access the Web page for enrollment:

1. Get your organization’s URL for accessing the enrollment Web page. The URL will havethe following format:http://MyWebServer:port/MyDomain/index.jsp

whereMyWebServer:portis the host name and port of the server on which the TrustAuthority Registration Authority is installed.MyDomainis the configured name of theregistration domain on this Trust Authority system. For example:http://MyWebServer:80/MyDomain/index.jsp

2. Open the browser you enabled for the RA Desktop.

3. Enter the URL:

¶ In Netscape, type the URL in the text box atLocation.

¶ In Internet Explorer, type the URL in the text box atAddress.

4. Press theEnter key.


http://www.tivoli.com/support

The Trust Authority enrollment Web page is displayed. For a default installation, thename of this page is Credential Central.

5. If you are using the Trust Authority enrollment services for the first time, clickinstallour server’s CA certificate.

This certificate enables your browser to authenticate communications from theenrollment services. The next time you use these services, you can omit this step.

Request a browser certificateThis section describes how to use the Trust Authority enrollment page to request a browsercertificate so you can run the RA Desktop.

Note: As a registrar, you might also need to enroll servers or devices, or preregistersomeone. For help with those tasks, refer to theTrust Authority User’s Guide.

Depending on how the registration facility was customized for your organization, theprocedures for getting a valid certificate may vary. The following discussion outlines basicsteps. Contact your system administrator for procedures appropriate for your site.

To obtain your browser certificate:

1. Access the enrollment Web page from your browser.

2. In theCertificate Enrollment area:

a. SelectEnrollment Type → Browser certificate.

b. SelectAction → Enroll .

c. Click OK . The enrollment form you requested is displayed.

3. Follow the instructions on the Web page to complete the fields. There are two sections:

¶ A Registration Information section with text boxes where you supply informationabout yourself.

¶ A Certificate Request Information section with text boxes where you supplyinformation about the certificate you want. If you do not supply values in thesection’s optional fields, Trust Authority supplies defaults that are associated with thetype of certificate you are requesting.

Pay particular attention to the following fields:

Type of CertificateSelect the kind of browser certificate that your organization wants you to presentto access the RA Desktop. “Supplied certificate types” on page 40 describes thecertificate types.

Install CA certificate to BrowserClick to get a corresponding CA certificate that is compatible for the certificatetype. If you click this button, the CA certificate is downloaded immediately.

This certificate enables your browser to authenticate communications from theregistration facility when you use the RA Desktop. If for some reason youalready have the same CA certificate, you do not need another one.

E-mail AddressTo selectE-mail Notification , you must supply your e-mail address.


3.H

owdo

I...?

E-mail NotificationSelect this to receive e-mail about the outcome of your request.

Note: If the RA server is installed on a Windows NT platform in yourorganization, the registration facility’s configuration file (raconfig.cfg)may need to be updated to point to an SMTP host to enable this feature.For details, see theTrust Authority Customization Guide.

Challenge ResponseBe sure to remember the case-sensitiveChallenge Responseyou supply. Youwill need to know it later to check the status of the enrollment request.

Domain NameOptionally, type the host name of the machine where the certificate will beinstalled (your machine’s host name). Typically, you can omit this field unlessyou have been instructed to use it.

If you need further help with the fields, consult the Reference section of theTrustAuthority User’s Guide.

4. Click Submit Enrollment Request.

After Trust Authority receives the enrollment form, it validates the information:

¶ If the form contains errors, it shows you the errors. Make the changes and clickResubmit Enrollment Request.

¶ If the form contains no errors, another Web page displays your request ID.

5. Make sure to keep your request ID. It identifies you later so that you can check on thestatus of the request and receive your certificate when it is ready. Do one of thefollowing, as described on the Web page:

¶ Bookmark the Web page so that you can return to this display and check on yourcertificate. This is the easiest way to return to check your status.

¶ Record the request ID so that you can supply it when you return. As a safeguard,you may want to record the request ID regardless of whether you created abookmark for the status page.

¶ If you specified that you wanted to receive an e-mail notification on the enrollmentfield, you can wait for the request ID to come by e-mail.

Check on enrollment statusTo check the status of your enrollment request, either return to the Web page youbookmarked during enrollment, or complete the following steps:

1. Access the enrollment Web page.

2. At Enrollment Type, select the type of enrollment you requested.

3. At Action, selectCheck Status.

4. Click OK .

The display contains fields where you must authenticate your identity before you can getany information about your request.

5. Supply information in the fields:

¶ At Request ID, type the request ID you were shown after you submitted theenrollment form.


¶ At Challenge Response, type the same Challenge Response you supplied on theenrollment form.

6. Click Check Enrollment Status.

A message indicates the current status of your request.

¶ If your request is still pending, you can return later and check again.

¶ If your browser certificate has been issued, it was downloaded when you clickedCheck Enrollment Status.

7. View your certificate if desired, following the instructions on the Web page.

Get authorizationBefore asking your system administrator to authorize you for the RA Desktop, complete thefollowing tasks:

¶ Request a browser certificate and specify the registration domain you will administer.

¶ Download to your Web browser the browser certificate and its compatible CA certificate.

Install the RA DesktopInstalling the RA Desktop is a two-part process. When installing the server software, asystem administrator must selectRegistration Authority Desktop to install the installationimage for the applet. The administrator must then distribute the image or make it availableon your network so that you can run the installation program from your workstation.

Note: If you install the RA Desktop applet on the same machine from which the SetupWizard was previously run, the Setup Wizard cannot be run again. If you are usingTrust Authority in a test environment, you may want to install the Setup Wizard andRA Desktop on separate machines so that you will be able to repeat the configurationprocess until you are ready to put the system into production mode.

Use the following procedure to run the RA Desktop installation program, RADInst.exe.

1. Make sure your workstation meets the requirements listed in “Enable a browser” onpage 6.

2. From your system administrator, get the URL for the registration domain that you willbe administering.

3. Follow your organization’s instructions to copy, access, or download the RA Desktopinstallation image.

4. Shut down all active programs.

5. SelectStart → Run, click Browse to locate the RADInst.exe file, and clickOK to runthe program.

6. Review the information on the Welcome window, and clickNext.

7. On the Choose Destination Location window, clickNext if you want to install thesoftware in the default location (c:\Program Files\IBM\Trust Authority\RA Desktop).Otherwise, clickBrowse to select or type a different destination folder, and then clickNext.

8. On the Choose Browser window, select the browser that you want to use as yourdefault browser for accessing the RA Desktop.


3.H

owdo

I...?

Note: You see this window only if you have both Microsoft and Netscape browsersinstalled and they are both at the required release level.

9. On the Choose Host window, type the URL for server where the Registration Authorityis installed. You must type it in the following format, wherehostname:port is thevirtual host name and secure port number on the server where the RegistrationAuthority was installed, andRegistrationDomainName is the name that was configuredfor your organization’s registration domain:https://hostname:port/RegistrationDomainName

For example:https://MyRAserver:1443/MyDomain

10. On the Select Program Folder window, clickNext if you want to use the defaultprogram folder (IBM SecureWay Trust Authority). Otherwise, type or select the nameof the folder you want to use, and then clickNext.

11. On the Start Copying Files window, review the settings you specified for thisinstallation of the RA Desktop. If you are satisfied with your choices, clickNext. Theprogram copies files to the requested location.

12. On the Setup Complete window:

¶ Click the check box to view the README if you want to review the TrustAuthority productReadmefile. After you click Finish, theReadmefile will bedisplayed in your selected browser.

¶ Click Finish to complete the installation process.

After the installation is complete,RA Desktop andRA Desktop Configuration are in yourStart menu underPrograms → IBM SecureWay Trust Authority .

Reconfigure the RA DesktopAfter you install the RA Desktop, you can change the default browser that you want to usewhen accessing the applet and change the URL for the RA server that hosts the applet. Usethe following procedure to make these changes.

1. SelectStart → Programs → IBM SecureWay Trust Authority → RA DesktopConfiguration .

2. On the Choose Browser window, select the browser that you want to use when accessingthe RA Desktop.

3. On the Choose Host window, type the URL for the RA server that hosts the RA Desktop.You must specify the secure host name, the port number, and the name of the registrationdomain you need to administer (the domain name cannot contain spaces). For example:https://NewRAServer:1443/NewDomainName

4. On the Select Program Folder window, clickNext without making any changes.

5. On the Start Copying Files window, review your changes and then clickNext.

6. On the Setup complete window, clickFinish to complete the reconfiguration process.

Access the RA DesktopEach time you want to start the RA Desktop, you must first do the following:

1. If your registrar certificate is in your Netscape browser, close any Netscape sessions youare running.


2. On your Windows taskbar, selectStart → Programs → IBM SecureWay Trust Authority→ RA Desktop.

When you request the URL of the RA Desktop, your Web browser and the server agreeto initiate a secure (client-authenticated) session. Before the server can return the contentof that URL, you must be authenticated as a valid registrar. The browser should promptyou to present a certificate. The prompt varies with the browser you use.

3. Present your registrar certificate.

Note: If you use Internet Explorer, the browser automatically submits the last certificateyou presented to the server during your browser session. It does not prompt youfor acknowledgment. To present a different certificate, you must exit and restartthe browser.

The Web browser downloads and initializes the RA Desktop applet:

¶ During downloading of the applet, you might see several messages at the bottom ofthe browser’s display. For example, you might see a message to indicate that thebrowser is initializing Java.

¶ During initialization, you see a progress bar that indicates how near the process is tocompletion. If an error occurs during initialization, the progress bar stops, and yousee a generic warning message.

After initialization is complete, you see the RA Desktop. It is ready to use. You can startadministering registration requests and certificates for the registration domain that isassociated with your certificate.

Note: If you access the RA Desktop from Netscape and some time passes without activityon the RA Desktop, Netscape prompts you for your certificate again. This additionalsecurity protects your organization in case an emergency calls you away from yourdesk before you have exited the RA Desktop.

Work with queriesSelect theQuery tab to prepare a query. You can make your query very specific, or you canretrieve a group of records with common characteristics. You can also limit the number ofrecords to retrieve and specify how many to display on a page when you view them.

Submit a queryOn theQuery tab, prepare a query to retrieve enrollment or key recovery requests andcertificate records you want to work with. You can base your query on either the currentstatus of a request or certificate or on its renewal and expiration characteristics. Within thesetwo categories, you can further refine your query by using the other available fields.

1. Use the fields on the tab to prepare your query. You can refine your query by combiningas many of the available fields as desired. “Query fields” on page 33 describes the fields.

¶ As you move your cursor over a field, the bottom of the tab displays help for thatfield.

¶ You can run the query without specifying any values of your own. This will retrieverecords of all the requests that are pending, regardless of their other characteristics.

2. Change the limit on the number of records to retrieve, if desired.


||||

3.H

owdo

I...?

3. Change the number of records to display on a page when you view the results on theResults tab, if desired.

4. When you have prepared your query, clickSubmit Query.

While you are waiting for your query results, a progress bar shows the progress of queryprocessing. When the results of your query are ready, theResults tab is automaticallydisplayed.

5. On theResults tab, find the records you want to work with.

Related topics:

“Retrieve pending certificate requests”“Retrieve pending key recovery requests”“Retrieve expiring certificates”“Predefined queries” on page 36

Retrieve pending certificate requestsOn theQuery tab, do either of the following:

¶ Run a query without specifying any values of your own. This is the same as specifyinga Pending status.

¶ Without changing the selection atQuery type, specify additional characteristics for therecords to retrieve, if desired. For example, suppose that your manager asks that youhandle someone’s registration request before you handle other pending requests. Youcould specify the person’s name in your query.

Retrieve pending key recovery requestsOn theQuery tab, you can retrieve a pending key recovery request:

1. At Query type, selectBy recovery status, name, and update date.

2. At Key Recovery Status, selectPending.

3. Click Submit Query.

Related topics:

“Approve a key recovery request” on page 20“Reject a key recovery request” on page 20

Retrieve expiring certificatesOn theQuery tab, prepare a query to retrieve records of renewable certificates that are dueto expire within a specific period:

1. At Query type, selectBy renewability and expiration.

2. Open the list atRenewability and clickRenewable.

3. Refine your query to retrieve only the records of certificates that will expire during aspecific period. AtRange of expiration dates:

¶ Type or select the earliest expiration date atFrom.

¶ Type or select the latest expiration date atTo.

Related topics:


|

|

|

|

|

|

|

||

|

“Change a validity period” on page 18

Select a date from the calendarTo select a date from the calendar instead of typing it in a date field:

1. Click the small calendar icon next to the field’s text box.

The calendar opens, displaying the current month or the month of the date in the field.

2. To select a different year, click the year on the calendar. This displays a list from whichyou can select a year.

3. To select a month, click one of the arrowheads next to the name of the current month.The left arrowhead displays earlier months, and the right arrowhead displays latermonths.

4. To select a day, click the day of the month you want.

The calendar closes, displaying the selected date in the field.

Set a retrieval limitOn theQuery tab, you can limit the number of records that are retrieved, even if more thanthat number match your query. The limit you set is only for the query you are preparing.

1. At Retrieval limit , open the list and select a limit. The default is 150.

This limit affects the size of your query results.

2. Specify the rest of your query.

Set the number of records per pageOn theQuery tab, you can limit the number of records that are displayed on a page of theResults tab. The limit you set is only for the query you are preparing.

1. At Records per page, do one of the following:

¶ Open the list and select a limit.

¶ Type a number over the displayed default.

This value controls the display of your query.

2. Specify the rest of your query.

Get feedback during processingAfter you click a command button on any tab, the status area at the bottom of the panelshows the progress of the processing you requested.

Work with resultsSelect theResults tab to display the results of your query.

The tab can display more than one of the records you retrieved. The number of records perpage depends on the value you selected when you submitted the query.

View query resultsOn theResults tab, you can view the results after you run a query.

Each row in the table atQuery results contains a record that matches your query. The tablecontains the following columns:


3.H

owdo

I...?

Name The name associated with a request or certificate, displayed in the following format:lastname, firstname

Request statusThe current status of the enrollment request, such as Approved. “Status ofenrollment requests” on page 41 describes each status value.

Fulfillment statusThe current status of processing for the request, such as Delivered.

Last updateThe date associated with the status of the request or certificate.

Date receivedThe date the enrollment request was received.

To view your query results:

1. Find the records you need. You can do any of the following if it helps you to find theneeded records:

¶ Scroll the table, resize columns, or sort the rows of the table.

¶ Move from page to page to view more of the results.

2. When you find the records you want to work with, you can do the following, if desired:

¶ Select one or more records and act on them as a group.

¶ Select a single record to view more detail.

Note: If you did not retrieve the record you need, return to theQuery tab:

¶ If your query is incorrect, make changes and then run it again.

¶ If your query is correct, set the retrieval limit to retrieve a larger number ofrecords, and run your query again.

Related topics:

“Set the number of records per page” on page 13

View results on multiple pagesOn theResults tab, the results of your query might occupy multiple pages. The number ofpages depends on the number of records that match your query and the page size youspecified for displaying them. The status area tells you how many pages there are and whichpage you are viewing.

¶ Click Next Pageto move to the next page of the group.

¶ Click Previous Pageto move to the previous page of the group.

¶ To go back more than a few pages, it may be faster to return to theQuery tab andresubmit the query. Then theResults tab displays the first page of your query resultsagain.

Display details of an itemOn theResults tab:

1. In the query results table, select the row for a record in your query results.


2. Click Show Details.

The Details tab is displayed automatically, to show the details of the record you chose.

3. On theDetails tab atDisplay, select the type of detail you want to see.

Note: You can also display details of a record by double-clicking it on theResults tab, orby selecting it and then selecting theDetails tab.

Related topics:

“Act on an individual record” on page 18

View item attributesOn theResults tab:

1. Select a record from the table of query results.

2. Click Show Detailsto display the record in more detail on theDetails tab.

3. On theDetails tab, atDisplay, select the type of attributes you want to see. “Detailgroups” on page 41 describes how the attributes are grouped. The default isBasicAttributes .

4. Look at the table.

Each row in the table lists an attribute of the request or certificate. “Attributes ofrequests and certificates” on page 39 describes the request attributes. The table containsthe following columns:

Attribute nameThe name of the attribute.

Attribute valueThe value of the attribute. The value may change during the life cycle of arequest or certificate.

5. Scroll the table, resize columns, or sort the rows of the table if it helps you with yourtask.

Related topics:

“Change an attribute value” on page 18

View an action historyOn theResults tab:

1. Select a record from the table of query results.

2. Click Show Detailsto display the record in more detail on theDetails tab.

3. On theDetails tab, atDisplay, selectAction History .

4. Look at the table. It includes details of every event in the life cycle of the item.

Each row in the action history describes an action that was taken on the item.Information includes the date when it happened, the responsible party, and any associatedcomments. The table has the following columns:

Date The date of the action that is shown in the same row.


3.H

owdo

I...?

By The distinguished name of the registrar who took the action, or the RA programthat did so.

Request StatusStatus of the enrollment request, such as Approved. “Status of enrollmentrequests” on page 41 describes each status value.

Fulfillment StatusStatus of processing for the request, such as Delivered.

CommentThe comment that is provided by the registrar at the time of the action.

5. Scroll the table, resize columns, or sort the rows of the table if it helps you with yourtask.

Related topics:

“Action history events” on page 38

Move between tabsSometimes you move from one tab to another automatically. For example:

¶ When you run a query from theQuery tab, you move to theResults tab when the queryresults arrive on the RA Desktop.

¶ When you request details for a record, you move to theDetails tab.

¶ When you complete an action from theDetails tab, you move back to your query resultson theResults tab.

To move between tabs at other times, simply click the tab you want to display. When youdo, you can expect the following:

¶ If you return to theQuery tab after viewing your query results, your query is stilldisplayed.

¶ If you request details for the wrong item, you can return to your query results on theResults tab. There, you can select a different record to display in detail. Your queryresults remain on theResults tab until you run another query.

¶ Whenever you move to theDetails tab after selecting one record on theResults tab, theDetails tab shows that record. The tab contains no information if you have not selecteda record on theResults tab, or if you select more than one record. After you submit anaction on theDetails tab, the information is cleared from that tab.

Note: When you begin a session, the RA Desktop fields display only default values.

Resize a table columnTo resize a table column:

1. Place the cursor on the boundary of a column you want to resize.

2. Click the mouse and drag it left or right to change the column width.

3. Release the mouse button at the desired width.


Sort table rows by a columnTo sort the rows on the basis of a column:

¶ Click the column heading.

¶ To sort in the opposite order, click again.

Select records in a tableYou can select one or more records:

¶ To select a single record, click its row.

¶ To select several adjacent records, click the first record, then hold down theShift keywhile you click the last record.

¶ To select several records that are not adjacent, hold down theCtrl key while you clickeach one.

¶ To deselect a record, click it again.

Take actionYou can act on an enrollment request or update the record of a certificate. Both theResultstab and theDetails tab contain fields where you can choose the action. Actions you can takedepend on your own permissions in the registration domain where you are a registrar.

Act on multiple recordsOn theResults tab, each row in the table is a record in your query results. You can takeaction on one or more of the records in the table, or you can look at one record in greaterdetail before you act.

¶ To act while viewing multiple records:

1. Select one or more records.

2. At Set the validity period, specify a validity period for the certificate to be ineffect, if desired.

3. At Select the request profile, specify a different request profile, if desired, for arequest you are approving. “Supplied certificate types” on page 40 describes thefeatures of the certificate that is associated with each request profile.

4. Open the list atTake action on the selected itemsand select an action. Yourpermissions for working with records are the only actions available to you.

5. If you selectRevokeas your action, you must select a reason for doing so. AtReason for choosing Revoke, open the list and select a reason. “Reasons forrevoking a certificate” on page 37 describes the meaning of each reason.

6. At Comment on your action, type a comment to document your action, if desired.

7. Click Submit Action to submit the action for the selected records.

¶ To see more details of a record before acting:

1. Select the row that contains the record.

2. Click theShow Detailsbutton.

Related topics:


3.H

owdo

I...?

“Resize a table column” on page 16“Sort table rows by a column” on page 17

Act on an individual recordOn theDetails tab, you can make other changes to the displayed record before you specifyan action:

1. At Display, select the type of detail you want to see.

If you display the processing attributes of an item, you can change some of the values inthe table.

2. Change some attribute values as necessary. “Attributes of requests and certificates” onpage 39 describes some of the attributes.

3. At Set the validity period, specify a validity period for the certificate to be in effect, ifdesired.

4. At Select the request profile, specify a different request profile for a request you areapproving, if desired. “Supplied certificate types” on page 40 describes the features of thecertificate that is associated with each request profile.

5. Open the list atTake action on the displayed itemand select an action. Yourpermissions for working with records are the only actions available to you.

Note: If your action isRevoke, you must also select the reason for the revocation.“Reasons for revoking a certificate” on page 37 describes the valid reasons.

6. At Comment on your action, type a comment to document your action, if desired.

7. Click Submit Action to submit the action.

Related topics:

“Resize a table column” on page 16“Sort table rows by a column” on page 17

Change an attribute valueOn theDetails tab, when you approve an enrollment request or act on a fulfilled request,you can change the values of some attributes:

1. At Display, selectBusiness process variables.

2. Scroll to the attribute you want to update.

The values you can update have either a text box for typing a new value or a list box forselecting a different value. “Attributes of requests and certificates” on page 39 describessome of the attributes.

3. Type or select the value you want.

Note: Values in the request profile may override values you set.

Change a validity periodOn theResultsor Details tab, you can change the validity period for the certificate whenyou approve an enrollment request or act on a fulfilled request. AtSet the validity period,specify a range of dates. To supply a date, click the calendar to open it and then click thedate you want. If you type the date, use the same format the calendar uses to fill the textbox.


¶ At Begin date, specify the date the certificate will become valid.

¶ At End date, specify the date the certificate will expire.

The validity period you specify is passed to the RA when you submit the action.

Usage Guidelines:

You can modify a certificate validity period to a period within the limits of the definedrequest profile. For example, if a user requests a certificate with a 1–year validity period,you can shorten the period to less than one year. If you need to extend the validity periodbeyond the limits of the profile, however, you must take one of the following actions:

¶ Reject the certificate, and ask the user to submit a request that specifies a longer validityperiod, such as a 2–year certificate.

¶ Modify the request profile and submit the change. You must select theKeep Pendingaction until all changes have been made.

For example, if you want to change a certificate from a 1–year certificate type to a2–year certificate type, but limit the certificate validity period to 18 months, take thefollowing steps:

1. Select the certificate request, and change the certificate type to a 2–year certificate.

2. SelectKeep Pending, and then clickSubmit Action.

3. Select the certificate request again, and change the start and end dates as necessaryto limit the validity period to 18 months.

4. SelectApprove, and then clickSubmit Action.

Specify a request profileOn theResultsor Details tab, you can specify a different request profile to use in creatingthe certificate when you approve an enrollment request.

At Select the request profile, select one of the following:

¶ Select a request profile from the list. Profiles on the list are the ones you are permittedto specify. “Supplied certificate types” on page 40 describes the certificate that isassociated with each request profile.

¶ SelectUse the current profile. This is the default. It enables you to proceed even if thecurrent profile is not one that you are permitted to specify.

The profile you specify is used to process the request and create the certificate after yousubmit the action.

Add a commentOn theResultsor Details tab, you can add comments to explain the action you are taking:

1. At Take action, select an action.

2. At Comment on your action, type your comment in the text box. You can use up to512 characters.

3. Click Submit Action to include the comment as you update the record.

Your comment is added to the record when you submit your action.


3.H

owdo

I...?

Approve a requestYou can approve a request on either theResults tab or theDetails tab.

¶ If you use theResults tab, you can select more than one record to approve.

¶ If you use theDetails tab, you can alter the values of some attributes before approvingthe displayed request.

From either tab:

1. At Take action, click Approve.

2. Click Submit Action.

Approve a key recovery requestYou can approve a key recovery request on either theResults tab or theDetails tab. If youuse theResults tab, you can select more than one record for approval.

From either tab:

1. At Take action, click Approve Key Recovery.


Keep a request in pending statusYou can keep a request pending on either theResults tab or theDetails tab. If you use theResults tab, you can select more than one record to keep pending.

From either tab:

1. At Take action, click Keep Pending.


Reject a requestYou can reject a request on either theResults tab or theDetails tab. If you use theResultstab, you can select more than one record for rejection.

From either tab:

1. At Take action, click Reject.


Reject a key recovery requestYou can reject a key recovery request on either theResults tab or theDetails tab. If you usethe Results tab, you can select more than one record for rejection.

From either tab:

1. At Take action, click Reject Key Recovery.


Change renewabilityYou can change the renewability of a certificate on either theResults tab or theDetails tab.You can make a renewable certificate non-renewable, or vice versa. If you use theResultstab, you can select more than one record and then change the renewability status for thegroup.


|

||

|

|

|

|

|

||

|

|

|

|

From either tab:

1. At Take action, click one of the following:

¶ Make request renewable

¶ Make request non-renewable


Suspend a certificateYou can suspend a certificate on either theResults tab or theDetails tab. If you use theResults tab, you can select more than one certificate to suspend.

From either tab:

1. At Take action, click Suspend Certificate.

Note: You can resume the certificate later, however, once the certificate’s grace periodexpires, the certificate cannot be resumed.


Related topics:

“Resume a certificate”

Revoke a certificateYou can revoke a certificate on either theResults tab or theDetails tab. If you use theResults tab, you can select more than one certificate for revocation.

Before you revoke a certificate, you must use theDetails tab to review the certificate’svalidity period. You must verify that the certificate is currently valid before you submit therevocation request.

To revoke a certificate from either tab:

1. At Take action, click Revoke.

2. At Reason, select a reason.


After you take this action, the Processing attributes for the record are updated. TheRevocation Reason attribute is set to the value you specified.

Related topics:

“Suspend a certificate”“Resume a certificate”

Resume a certificateYou might want to resume a suspended certificate in the CRL for either of the followingreasons:

¶ To rid the CRL of certificates that are no longer valid.

¶ To reactivate a certificate you previously suspended..


|

||

|

|

||

|

|

|

|

|

|

||

|

|

3.H

owdo

I...?

Note: If the certificate has expired in the interim, you cannot reactivate it.

Because no notification of the certificate reactiviation is sent, notification must be sent byelectronic mail or other means of correspondence.

You can resume a certificate from the CRL on either theResults tab or theDetails tab. Ifyou use theResults tab, you can select more than one certificate to reactivate.

From either tab:

1. At Take action, click Resume Certificate.


Related topics:

“Suspend a certificate” on page 21

Publish a certificateYou can publish a certificate to the Directory using either theResults tab or theDetails tab.If you use theResults tab, you can publish more than one certificate.

From either tab:

1. At Take action, click Publish Certificate.

Note: This action is meant to be used for cases in which normal automatic publishing failswhen the certificate is issued.

Check permissions for the domainOn either theResults tab or theDetails tab:

1. Click Take action.

2. View the list of actions.

These are your capabilities for working with records of certificates and enrollment requestsfor the registration domain. If you have authority only to view the records, the only value onthe list isNo action is available.

Exit the RA DesktopTo exit the RA Desktop from any of its tabs, do either of the following:

¶ Click Exit .

You are returned to the Web page where you accessed the RA Desktop, unless yourorganization has set another path for you.

¶ Close the desktop as you would close other browser windows, by clicking one of thesmall icons on the title bar. This closes your browser.


|

||

||

|

|

|

|

|

|

||

|

|

||

|

Uninstall the RA DesktopUse the following procedure if you need to remove the RA Desktop applet from yourworkstation.

1. SelectStart → Settings→ Control Panel.

2. Double-clickAdd/Remove Programs.

3. Select theIBM SecureWay Trust Authority RA Desktop program folder, and clickAdd/Remove.

4. When prompted to confirm that you want to delete the program, clickYes.

5. If you see a message about certain folders not being deleted, clickDetails. You mustmanually delete any folders listed in the Details window to completely remove the RADesktop from your system.


3.H

owdo

I...?

Tell me about...

The topics in this section define or describe concepts that are related to registration,certification, and administration in an RA Desktop setting.

EnrollmentEnrollment is applying for a certificate. Trust Authority offers more than one method ofenrollment, and your organization’s policies dictate which methods are available. Usersmight do either of the following:

¶ Complete and submit a Trust Authority enrollment form through their Web browsers. Indefault Trust Authority installations, the enrollment forms are at a Web page calledCredential Central. Your site might call this page by another name.

¶ Preregister more informally and then supply preregistration values to Trust Authoritythrough a Trust Authority Client application installed on their workstation.

As a Registration Authority (RA) registrar, you must enroll for a certificate to access the RADesktop. Later, you might use the enrollment Web page to preregister other users.

Data from enrollment forms goes into database records that you can view from the RADesktop.

PreregistrationTrust Authority enables a program or an administrator to preregister prospective users.

If you preregister other people for certificates, here is the scenario for doing so:

¶ You need to get information about the person you want to preregister. You might get itfrom the person or use organization records, such as information from a database.

¶ You access the enrollment page from your Web browser. There is an enrollment formespecially for preregistering someone.

¶ You complete the form, supplying information that describes the person and the type ofcertificate they want. Then you submit the form.

¶ You check on the status of the request.

When the preregistration request is approved, you receive a transaction ID, password,and the URL of the RA that approved the request.

¶ You give this information—by telephone, e-mail, or in person—to the person youpreregistered. Optionally, for their convenience, you can give them a preregistration filethat contains other request information. The person uses what you send when they areready to request their certificate.

For guidance during preregistration tasks, refer to theTrust Authority User’s Guide.

4


4.Tellm

eabout...

Web browser supportTrust Authority enables you to create an enrollment request by completing and submitting anenrollment form through either of the following Web browsers:

¶ Microsoft Internet Explorer, release 5.0.

¶ Netscape Navigator or Communicator, version 4.0.5 or later.

To access the RA Desktop you can use one of the following browsers:

¶ Microsoft Internet Explorer, release 5.0

¶ Netscape Navigator or Communicator, version 4.5.1 or later or version 4.7 on AIX withDCE attributes.

RegistrationRegistration is the process of granting a digital certificate to a person or other entity. InTrust Authority, preliminary to registration, either a program or a registrar evaluates theinformation that was provided with the enrollment request. Then, whether or not the requestis granted, the Trust Authority RA creates a record for the request in the registrationdatabase. If the decision is to grant the certificate, the Trust Authority Certificate Authority(CA) issues the certificate.

Business policyWhen a program supplements your work as a registrar, it applies the business policies ofyour organization to some of the enrollment information. The type of information it canevaluate is less complex than the kind you evaluate. Values tend to be precise, such as theminimum number of years in a residence. Trust Authority enables your organization toprovide policy information to such a program. The program uses that information in itsevaluations.

Registration authoritiesIn Trust Authority, the RA is a server application. It is responsible for some of theadministrative tasks necessary to the registration of users, including:

¶ Confirming a user’s identity

¶ Verifying that a requester is entitled to a certificate with the requested attributes andpermissions

¶ Approving or rejecting requests to create or revoke certificates

¶ Suspending or reactivating a certificate

¶ Verifying that someone who attempts to access a secure application has the private keyassociated with the public key within a certificate

Using the RA Desktop, you initiate or direct some actions of the Trust Authority RA.

Registration databasesA Trust Authority registration database stores registration records. The registration databaseis a relational database, created with IBM DB2

®

Universal Database. Trust Authorityencrypts the records. However, through the RA Desktop an authorized registrar can readmost of the registration information.


|

Registration domainsEach Trust Authority system has a single registration domain. This domain defines thebusiness policies, certificate policies, and resources that are associated with registration andcertification at your organization. Users who want to access a resource must be registered inthe domain for that resource.

When the RA server software is installed, it contains the framework that allows anorganization to set up a registration facility. It can use any of the languages or policies thatthe RA supports. The domain name, language, and installation path form the URL foraccessing your organization’s registration pages.

For example, if your public Web server is named MyPublicWebServer, and your domainname is MyDomain, you would use the following URL to access the registration facility:http://MyPublicWebServer/MyDomain/index.jsp

A Trust Authority system includes a default Java Server Page (index.jsp). That page isdisplayed at the URL for the registration domain. It provides enrollment services:

¶ Prospective users go to that Web page to request a certificate, and to renew or revoketheir own browser certificates.

¶ To support these users, you must go to that Web page and get your own certificate foraccessing the RA Desktop. Then you can use it to preregister other users.

You access the RA Desktop to work with the registration requests and certificates that areassociated with a registration domain.

Registration recordsEach request for a certificate is an enrollment form that is submitted to the Trust AuthorityRA. Each enrollment request results in a registration database record. Updates to this recordreflect every action on the request, even a rejection of the request. If a certificate is created,the same record reflects any events that are related to that certificate. Thus the registrationrecord contains all the events in the life cycle of the request and the associated certificate.

Record AttributesThe attributes of a record in the registration database are variables that describe theenrollment request. For fulfilled requests, variables also describe the certificate that wasgranted. Other attributes are processing variables that help your organization enforce itsbusiness policies. Some attributes and their values are visible to registrars through the RADesktop.

CertificationCertification is the creation of a digital certificate for an entity or person. For TrustAuthority, certification occurs only after evaluation and approval of an enrollment request.As the result of registration, the Certificate Authority (CA) issues the certificates. For TrustAuthority, the type of certificate that is issued is consistent with the business policies of yourorganization.

Certificate authoritiesIn Trust Authority, the CA is a server program responsible for issuing digital certificates inaccordance with the policies of your organization.


4.Tellm

eabout...

Trust Authority supports cross-certification, in which CAs that trust each other agree toaccept each other’s certificates as proof of authenticity. Trust Authority also supports a CAhierarchy. CAs trust the CAs that are above them in the hierarchy and accept the certificatesof those CAs as proof of authenticity.

Certificate revocation listsThe Trust Authority RA publishes a certificate revocation list (CRL) at regular intervals. TheCRL lists the certificates that are no longer valid, so that holders who present them are notauthenticated.

Any CA, RA, or application can access this list to determine whether a certificate has beenrevoked. This is one way that the Trust Authority RA provides security when users try toaccess the secure applications of your organization.

DirectoriesThe Directory that Trust Authority uses for storing certificates is the IBM SecureWayDirectory. This Directory may be one that your organization set up specifically for use withTrust Authority. Alternatively, it may be one that you have installed previously and use withother applications.

The protocol that Trust Authority uses for accessing the Directory is the Lightweight DirectAccess Protocol (LDAP).

Distinguished namesThe distinguished name (DN) is an element of the Directory entry for a digital certificate. Ituniquely identifies the position of the entry in the hierarchical structure of the Directory.

CertificatesA certificate is a digital credential, signed by a CA that vouches for the identity of thecertificate holder. The holder can use the certificate as authentication when communicatingwith others or when requesting access to a secure application. In Trust Authority, evenservers, applications, and devices such as printers and smart cards must have certificates, toauthenticate them to users and to each other.

Trust Authority supports X.509v3 certificates in the following categories:¶ Browser certificates¶ Server certificates¶ Device certificates¶ Certificates for accessing PKIX-compliant applications¶ Cross-certificates for CAs

Trust Authority also supports the following protocols:¶ SSL¶ S/MIME¶ IPSec¶ PKIX CMP

A default Trust Authority installation provides a variety of certificate types that are based onthese categories and protocols. Enrollees can request certificates that meet their needs.“Supplied certificate types” on page 40 describes the certificate types.


Browser certificatesA browser certificate is a digital credential that is typically stored in an encrypted file byyour Web browser. Some applications permit you to store the keys on a smart card or othermedia. In a Trust Authority system, you can request a browser certificate directly throughyour Web browser. Later, if necessary, you can return to the enrollment Web page to renewor revoke that certificate.

CA certificatesEvery browser, server, device, or application that has a certificate to present to TrustAuthority servers must also have a compatible CA certificate. This certificate is needed forauthenticating communications from servers that hold certificates issued by the TrustAuthority CA.

You must have a Trust Authority CA certificate in your browser to use the secure TrustAuthority enrollment services. You can get this the first time you visit the Trust Authorityenrollment Web pages. After that, whenever you request a certificate from the enrollmentservices, you can download a corresponding CA certificate that is compatible with it.

For example, if you request a 2–year SSL browser certificate, you can receive a CAcertificate that is compatible with that certificate.

Note: Early releases of Netscape could accept a site certificate presented by a TrustAuthority server. That certificate was acceptable for both server-authenticated andclient-authenticated communications with that server. However, the latest release ofNetscape requires a CA certificate for client-authenticated sessions.

Server or device certificatesIf it is part of your job, you can request a certificate for a server or a device. Use theenrollment form that is provided through your Web browser.

The server or device for which you are requesting a certificate must use the PKCS #10request format.

Certificate extensionsCertificate extensions are optional elements in the format of an X.509v3 certificate.Extensions make it possible to incorporate additional fields into the certificate. TrustAuthority provides a group of certificate extensions to enable your organization to customizethe certificates it issues. These additional fields are known asbusiness process variables.

When you view a record on the RA Desktop, you can see these fields when you displayprocessing attributes. In some cases, you may be able to update their values.

Certificate life cyclesWhen you request a certificate, you initiate a life cycle that continues for the lifetime of thatcredential. That life cycle ends when the certificate is revoked or when it expires.

As an RA Administrator, you can also suspend and reactivate a certificate.

If a certificate is renewed, a new record is created in the registration database.

Certificate suspend and resumeAt times, you may be requested to suspend a certificate if, for example, a certificate holdersuspects a certificate’s security is compromised. Likewise, after investigation is completed,


|

|

||

4.Tellm

eabout...

you may be asked to reactivate the suspended certificate. These tasks are performed throughthe RA Desktop. A user can issue a request to have a certificate suspended but must request,by electronic mail or other means of communication, to have a certificate reactivated.Notification to the requester must be handled in the same manner.

Each certificate has a grace period, based on certificate type, and is defined in the certificateprofile. As an RA Administrator, you can change the default grace period. A value of zeromeans indefinite and the certificate can be resumed anytime, providing the certificate has notexpired. A certificate cannot be reactivated once the grace period has expired.

RenewabilityThe renewability of a certificate is one of the characteristics that you can alter from the RADesktop:

¶ If you make a certificate renewable, the holder can apply for a new one while the oldone is still valid. Possession of a renewable certificate simplifies the enrollment processand the registration effort.

¶ If you make a certificate non-renewable, the holder must wait until it expires, and thenenroll again if they still need a certificate. When they enroll, they must supply all theinformation, as if they were registering for the first time.

Some users can submit their own renewal requests:

¶ Users with renewable browser certificates can request renewal on the enrollment Webpage.

¶ Users with renewable certificates for accessing PKIX-compliant applications can requestrenewal by using the Trust Authority Client application.

Certificate key backup and recoveryEnd users can submit requests to create and recover a backup file which contains theircertificate and private key information. This is useful if a key somehow becomes lost orforgotten by the key holder. The backup file gets created in PKCS #12 format from either abrowser or the Client application and is stored in the system’s key recovery database, krbdb.

Through the RA Desktop, the registrar can review these requests and authorize the recoveryof the backup file. The registar can view the decrypted password, certificate serial number,and issuer information from the krbdb database. If the request is approved, the backup file isreturned to the user for downloading. Approval of the key recovery is administered throughthe RA Desktop.

Publishing certificatesTrust Authority publishes certificates automatically when they are issued. In case of failure,the registrar can republish those certificates to the Directory using the RA Desktop

AdministrationBefore you can work as a registrar, you must request and receive a certificate for the Webbrowser from which you plan to use the RA Desktop. After getting the browser certificate,you must present it each time you want to access the RA Desktop. To view or act on anyregistration records or requests from the RA Desktop, you must also have the proper filepermissions.

The topics in this section relate to the use and administration of certificates.


||||

||||

|

||||

|||||

|

||

Access controlAn access control list (ACL) authenticates and authorizes internal Trust Authority users,devices, and software. For example, the RA Desktop support servlet uses the ACL toauthenticate and authorize registrars before they can access the RA Desktop.

Authentication and authorizationAuthentication provides proof of identity, whereas authorization provides permission to dosomething. Trust Authority enables your organization to insist on both before users accesssecure applications. In turn, certificate holders can be confident that the applications thatthey are using are secure.

Concurrent administrationTrust Authority provides a single registration domain, but more than one registrar can workwithin that domain. The design of the RA Desktop servlet and the RA prevent anyone fromupdating a record if someone else is already working with it. However, more than oneadministrator can view the same record simultaneously.

RA Desktop support servletThe RA Desktop support servlet is a Trust Authority application that provides the RADesktop services to registrars. The servlet returns information when a registrar runs a query,and it updates records when an registrar authorizes changes to them.

Request profilesTrust Authority provides a default set of request profiles that your organization can use tosimplify registration and certification. A request profile controls the attributes and processingof an enrollment request. Each request profile includes a template for a certificate. There arevarious request profiles for the supported certificate categories.

The name of the request profile for an item is one of its attributes. If necessary, you canspecify a different request profile when you approve the enrollment request.

You might see one request profile name listed with the Request attributes, and another onelisted with the Basic attributes. This means that a registrar or an RA process overrode therequest profile at some point. The profile in the Request attributes was frozen with otherattributes of the enrollment request. The profile in the Basic attributes is the current requestprofile.


4.Tellm

eabout...

Reference

The topics in this section include field descriptions, valid field values, and the meanings ofattributes that are displayed on the RA Desktop. Topics are organized on the basis of whereon the RA Desktop you would need the information.

Query tabOn theQuery tab, you can prepare a query that retrieves certificate, key recovery, orenrollment request information.

The tab has the following features:

¶ Fields for preparing your query.

¶ A Submit Query button for running your query.

¶ Help for your task:

v A status area at the bottom of a tab. This displays field-specific help, Trust Authoritymessages, and a progress bar during processing.

v A Help button for the tab.

When the results of your query are ready, the RA Desktop automatically displays theResults tab.

Query fieldsUse as many fields as you need to in preparing your query. Some fields are not available ifthey are mutually exclusive with others you have chosen:

¶ At Query type, click one of the following:

v By status, name, and update date, to retrieve records of enrollment requests orcertificates on the basis of their status.

v By renewability and expiration, to retrieve records of certificates for which youneed renewability or expiration information.

v By recovery status, name, and update date, to retrieve records of certificate keyrecovery requests.

¶ If at Query type you selectedBy status, name, and update dateor By recoverystatus, name, and update date, you can refine your query as needed by using thefollowing fields:

v Use the list atStatus to retrieve items of every status or only items with one specificstatus. From the list, select one of the following Request Status values. The defaultselection isPending.

5


||

||

|||

|||

5.R

eference

All Retrieves enrollment or key recovery requests regardless of their status.

ReceivedRetrieves newly received enrollment or key recovery requests.

PendingRetrieves requests that have not been approved or rejected. Some pendingrequests are new and require your decision. Others are awaiting some furtherinformation before you can deal with them. This is the default value.

ApprovedRetrieves requests an RA or registrar has approved. The status of theassociated certificate may vary.

RejectedRetrieves requests an RA or registrar has refused to approve.

CompletedRetrieves requests that an RA or registrar has either approved or rejected. Forapproved requests with this status, the certificate has been delivered to theuser.

v Use the following fields to retrieve only the records of requests or certificatesassociated with a specific name:

– At Last Name, type a last name, family name, or surname. You can also type thefirst letters of a name to retrieve all the names that begin with those letters. Forexample, if you type Smi, you would retrieve records for Smith, Smithers,Smiley, and other last names that begin with″Smi″.

– At First Name, type a first name. You can also type the first letters of a name toretrieve all the names that begin with those letters. For example, if you type″Joh*″, you would retrieve records with the first name Johanna, John, Johan, andother first names that begin with″Joh.″

v UseRange of dates for last updateto retrieve only items that were last updatedduring a certain period. Specify a range of dates.

– There is no default date.

– If you do not specify a date in either field, you retrieve all the records that matchthe rest of your query.

To supply a date, click the calendar to open it and then click the date you want. Ifyou type the date, use the same format the calendar uses to fill the text box.

From The earliest date in the range.

If you leave this field blank, your query retrieves every record that wasupdated on and before the date in theTo field.

To The most recent date in the range.

If you leave this field blank, your query retrieves every record that wasupdated on and after the date in theFrom field.

¶ If at Query type you selectedBy recovery status, name, and update dateonly, youcan refine your query as needed by using the following field:


||

||

||||

|||

||

||||

||

||||

||||

||

|

||

||

||

||

||

||

||

Not AttemptedRetrieves enrollment requests for which either a key backup or key recoveryrequest has not been attempted.

¶ If at Query type you selectedBy renewability and expiration, you can refine yourquery as needed by using the following fields:

v Use the list atRenewability to base your query on whether a certificate is renewable.From the list, select one of the following values:

RenewableThe certificate can be renewed if it has not yet expired.

Non-renewableThe certificate cannot be renewed.

v UseRange of expiration datesto retrieve only items that are due to expire during acertain period. Specify a range of dates.

– There is no default.

– If you do not specify a date in either field, you retrieve all the records that matchthe rest of your query.

To supply a date, click the calendar to open it and then click the date you want. Ifyou type the date, use the same format the calendar uses to fill the text box.

From The earliest expiration date.

If you leave this field blank, your query retrieves every record that expired,or will expire, on and before the date in theTo field.

To The latest expiration date.

If you leave this field blank, your query retrieves every record that expired,or will expire, on and after the date in theFrom field.

¶ Use either or both of the following fields to control the processing and display of yourquery:

Retrieval limitThe maximum number of records to retrieve, no matter how many records matchyour query. Select one of the following:v 50v 100v 150v 250 (default)v Unlimited (retrieves all matching records)

Page sizeThe number of records to display on each page of theResults tab. You canmove through these pages to find the needed records in your query results.Either select one of the following or type a number over the displayed default.v 10v 15 (default)v 20v 25


|||

|

5.R

eference

Predefined queriesThe only predefined query is the default query, which retrieves all pending requests.

Retrieval limit optionsOn theQuery tab, your options for setting aRetrieval limit are:¶ 50¶ 100¶ 150¶ 250 (default)¶ Unlimited (retrieves all the matching records)

These options affect the number of records in your query results on theResults tab.

Records per page optionsOn theQuery tab, your options forRecords per pageare:¶ 10¶ 15 (default)¶ 20¶ 25¶ Any number you type over the displayed default

These options affect the display of your query results on theResults tab.

Results tabOn theResults tab, you see the results of running your query. The tab has the followingfeatures:

¶ A table that contains the results of your query.

v Each row contains the record of an item that matches your query.

v You can sort the rows on the basis of values in a column.

v You can resize the columns to change their widths.

v You can scroll through your results if a page of the table is longer than the display.

v If your results are on multiple pages, you can clickNext PageandPrevious Pagetolook at them.

Note: You may notice a delay when you request the next page or the previous page.Pages are retrieved from the server as you need them, so only the current pageis available locally.

¶ Fields for setting the validity period of a certificate, if desired.

¶ A field for specifying a different request profile, if desired, when you approve a request.

¶ A selection list of the actions available for processing one or more selected items. If theaction is Revoke, there is also a selection list of reasons for revocation.

¶ A comment field where you can comment on the action you take.

¶ A Show Detailsbutton for displaying a record in greater detail. If you click this, the RADesktop displays theDetails tab.

¶ A Submit Action button for completing the action you select.





By clicking theQuery tab, you can return there to refine your query or prepare another one.

Administrative actionsYour permissions for working with records are the only actions available to you. You mightsee any of the following.

ApproveThis approves the request, so the enrollee can have the requested certificate.

Keep pendingDelays a decision. Use this when you need to get information from an outsidesource or just want to add a comment to the record.

Reject Denies the request.

RevokeEnds the validity of a certificate.

Suspend CertificateTemporarily suspends a certificate’s validity.

Resume CertificateReactivate a suspended certificate.

Make request non-renewableChanges a renewable certificate to non-renewable.

Make request renewableChanges a non-renewable certificate to renewable.

Approve Key RecoveryApproves the key recovery request so the enrollee can have the recovered PKCS #12file.

Reject Key RecoveryDenies the key recovery request

No action is availableIndicates that you only have authority to view the records in the registration domain.

Publish CertificatePublish the certificate to the Directory.

Reasons for revoking a certificateWhen you revoke a certificate, you must select a reason for doing so. The following arevalid reasons you can select when you revoke a certificate.

When you display details of a record and look at its Processing attributes, the RevocationReason attribute may contain one of these values:

CA key was compromisedThe key of the Certificate Authority was compromised.

Certificate was supersededThe user has a new certificate and does not need this one.


|

|

||

||

||

|||

||

||

|

||

||

||

||

5.R

eference

No reasonThe user requested revocation without giving a reason.

Original use no longer validThe certificate holder no longer needs the certificate for its original use.

User changed affiliationThe user no longer has the affiliation that required the certificate.

User key was compromisedThe user’s private key was compromised.

Details tabOn theDetails tab, you see the details of the record you selected from those that matchedyour query. The tab has the following features:

¶ A list for selecting the type of detail you want to view. The list includes the actionhistory of the item and several groups of attributes that belong to the item. “Detailgroups” on page 41 describes these groups.

¶ A table that displays the type of detail you have selected:

v If you display the attributes, each row contains an attribute and its value. You canupdate some of the values at the time you approve an enrollment request.

v If you display the action history, each row represents an action that was taken on theitem.

v You can sort the rows on the basis of values in a column.

v You can resize the columns to change their widths.

¶ Fields for setting the validity period of a certificate, if desired.

¶ A field for specifying a different request profile, if desired, when you approve a request.

¶ A selection list of the actions available to you. If the action isRevoke, there is also aselection list of reasons for revocation.

¶ A comment field where you can comment on the action you take.

¶ A Refresh Detailsbutton for updating the display.

¶ A Submit Action button for completing the action you select.




By clicking theQuery tab, you can return there to refine your query or prepare another one.By clicking theResults tab, you can return there to continue working with the results ofyour query.

Action history eventsThe query results table onResults tab and the action history table on theDetails tab havesimilar columns. TheRequest statuscolumn describes RA action on the enrollment request.The Fulfillment status column describes the status of processing for the request.


||

||

||

||

|

¶ On theResults tab, the query results table displays the current status for each item inyour query results.

¶ On theDetails tab, columns of the action history table display each previous status, aswell as the current status of the displayed item.

Attributes of requests and certificatesThe following attributes are classified asRequest Attributes. You can alter the values ofsome attributes.

Business Process VariablesValues that are supplied by the organization during the enrollment process. Reasonsfor revocation of a certificate are available in this attribute.

Credential Expiration DateThe date that the certificate is due to expire.

Credential Renewable StatusIndicates whether the certificate can be renewed.

Credential UUIDThe Universal Unique Identifier, a primary key that is generated to provide an indexto the database record.

Error CodeAn internal code that signifies the type of error that occurred. This field and theError Source field describe the same error.

Error SourceThe process or other element of Trust Authority where an error occurred duringprocessing of RA Desktop requests.

First NameThe first element of the applicant’s full name. Although this is typically theapplicant’s first name, the value might also include the middle name or middleinitial.

Fulfillment StatusStatus of processing for the request. The action history displays this status. “Statusof enrollment requests” on page 41 describes each status value.

Last NameThe applicant’s last name, family name, or surname.

Previous Request IDAn encoded string that represents the ID generated for an earlier registration request,if the certificate has been renewed.

Registration DomainThe registration domain that provides secure resources for the holder of a certificate.

Request IDAn encoded string that represents the ID generated for a registration request.

Request Profile nameControls for processing the enrollment request. This profile includes a template forthe certificate. Values in this profile override any other modifications you mightmake if they are at odds with the profile. “Supplied certificate types” on page 40describes the features of the certificate that is associated with each request profile.


5.R

eference

Note: When you view the attributes for a record, you may see two request profileslisted. The Request attributes may list one, and the Basic attributes may listanother. This means that a registrar overrode the request profile at some pointin the past. The profile in the Request attributes was frozen with otherattributes of the enrollment request. The profile in the Basic attributes is thecurrent request profile.

Request StatusStatus of the enrollment request. The action history displays this status. “Status ofenrollment requests” on page 41 describes each status value.

Request VariablesValues the requester supplied during the enrollment process.

Backup StatusStatus of the key backup request.

Recovery StatusStatus of the key recovery request.

Certificate extensionsExtensions are added to a certificate in the form of name=value pairs, and may be amongthe attributes that are displayed for a certificate. The following certificate extensions areacceptable for the certificates of individuals who want to use a secure application:

¶ Basic Constraints

¶ Key Usage

¶ Name Constraints

¶ Private Key Usage Period

¶ Subject Alternate Name

Supplied certificate typesA Trust Authority system provides multiple certificate types for the supported certificatecategories and protocols. Variations include different validity periods. The name of thecertificate is an indicator of how long it is valid and the primary use of the key. See theGlossary for descriptions of the various features

CA Cross-certificateEnables the CA that holds it to have its certificates trusted by the issuing CA. Thecertificate provides digital signature and non-repudiation.

1– and 2–year Data EnciphermentEnables the holder to encrypt data. The certificate is not intended for other purposes.

1- and 2-year E-mail ProtectionEnables the holder to use the Secure Multi-Purpose Internet Mail Exchange(S/MIME) protocol. This protocol protects e-mail or other mime objects. It providesauthentication of origin, message integrity, non-repudiation of origin, andconfidentiality. It is a typical choice for an end user.

1- and 2-year IPSecHelps assure the integrity and confidentiality of data that is sent over the Internet inInternet protocol packets. An IPSec certificate is for data rather than users, and isoften assigned to a router.


||

||

1- and 2-year Key Encipherment OnlyEnables the holder to encrypt keys. The certificate is not intended for other purposes.

1- and 2-year Non-repudiationProvides message encryption and digital signing capabilities, to preventnon-repudiation of the origin of a message or non-repudiation of its delivery.

1- and 2-year Signing OnlyEnables the holder to sign a file digitally. The certificate is not intended for otherpurposes.

1- and 2-year Web Client AuthenticationEnables a Web browser to participate in a client-authenticated SSL session. With thiscertificate, the user of the browser can access a specific secure Web site. Thecertificate provides digital signature, non-repudiation, and key encipherment. It is atypical choice for an end user.

1- and 2-year Web Server AuthenticationEnables a server to participate in a server-authenticated SSL session. The certificateprovides digital signature and key encipherment.

Enrollees or people who preregister for someone else can request a suitable certificate type.When you assign aRequest Profile, it contains a template for one of the certificate types.

Note: The list you see might not match this list. Your organization might have changed thenames or even the offerings. The list you see also depends on your permissions forthe registration domain.

Detail groupsOn theDetails tab, you can use theDisplay field to select the group of attributes you wantto see. Not all details are viewable from the RA Desktop. Some attributes appear in morethan one group. The kinds of details you can view are:

Basic attributesAttributes intrinsically associated with a database record.

Request attributesAttributes that describe the enrollment request.

Processing attributesAttributes that describe processing that is in accordance with your business policy.These attributes include the Revocation Reason attribute.

Action historyA table of all the actions that were taken on the request or on the fulfilled request.

Key Recovery attributesAttributes associated with the key recovery request. The password of the PKCS #12file that was backed up is listed.

Status of enrollment requestsAll the statuses are events in the action history.

Request Statuses include the following:

ApprovedThe registration request has been approved.


|||

|||

5.R

eference

CompletedAn RA or registrar has either approved or rejected the registration request. For anapproved request, a certificate has been delivered to the user.

Note: This is the final Request Status for a registration request. The FulfillmentStatus of a Completed request refers to subsequent actions and events thataffect the request. For example, if a certificate is renewed or revoked, theFulfillment Status indicates it, but the Request Status still is Completed.

PendingThe registration request may have been reviewed, but it still awaits approval orrejection.

ReceivedA registration request has been received.

RejectedThe registration request was rejected. A certificate was not issued.

Fulfillment Statuses include the following:

DeliveredThe certificate has been delivered to the Web page where the user can accept it.

Delivery confirmedThe user has downloaded the certificate to the Web browser.

Issued The registration request has been approved, and the certificate has been issued.

Not issuedThe certificate has not been issued yet. This status does not indicate whether actionhas been taken on the request.

RenewedThe certificate associated with a record has been renewed, resulting in a new recordand a new certificate.

RevokedThe certificate associated with a record has been revoked, rendering it void.

Help for tabsThe RA Desktop provides the following help, which is common to all its tabs:

A status areaThis area, at the bottom of the tab displays the following:

Field-specific helpWhen your mouse is over a field, help is displayed for that field.

Trust Authority messagesThese are displayed in a scrollable text box, along with an icon thatindicates whether the message is a warning or an error.

A progress barThis shows the progress of any processing you have requested.

A Help buttonYou can click this to display help for the tab you are using.


Note: The help you display also contains the table of contents for theRegistrationAuthority Desktop Guide. You can display any topic in the book by clickingits entry in the table of contents.

Related topics:

“Move between tabs” on page 16

JVM for Internet ExplorerBefore installing the RA Desktop for use with Internet Explorer, you must have thefollowing release of Java Virtual Machine (JVM):

¶ Release 5.00, build 3167 or later

To determine which version of MS JVM you have, do one of the following:

¶ Open the Java console from Internet Explorer.

¶ Open a DOS command line and type the following:jview

The reported version number should be 5.00.3167 or later.

If you need to upgrade your JVM, you can download the needed release from the MicrosoftTechnologies for Java Web page.

Keyboard alternatives to the mouseConsult the following table if you must use the RA Desktop without a mouse.

Cursor/Focus location Keystroke

General

Reinitiate your session after a timeout F5 key

Exit the RA Desktop. Ctrl-x

Get help for the currently displayed tab. F1 key

Working within a tab

Move to a tab label from most fields Ctrl-Up arrow

Select another tab label and display that tab. Right arrow goes to the next tab. Leftarrow goes to the previous tab.

Scroll within a tab. PgDn scrolls downward. PgUp scrollsupward.

Working within fields

Move to the next field from most fields. Tab

Move to the previous field from most fields. Shift-Tab

Move to the next field from a table or a textarea.

Ctrl-Tab

Move to the previous field from a table or atext area.

Ctrl-Shift-Tab

Working within a table


5.R

eference


Sort rows by a column value. Alt-n, wheren is the index of thecolumn in the display. For example, tosort by the second column, press Alt-2.

Resize a column. Not possible without a mouse.

Move from row to row and select a row. Down arrow moves down a row. Uparrow moves up a row.

Select a range of rows. Shift-Up arrow or Shift-Down arrowselects each row in the range.

Select discontiguous rows. Not possible without a mouse.

Move from cell to cell within a row. Tab moves right one cell. Shift-Tabmoves left one cell.

Edit the current cell, if it is editable. F2 key opens a cell for editing. Entercommits the changes and exits the cell.Esc exits the cell without commitingchanges.

Working with the items in a list

Open a list. Up arrow or Down arrow.

Move through the list of items. Down arrow moves down. Up arrowmoves up.

Select an item from the list and close the list. Enter key

Close the list without changing the selection. Esc key

Exit and move to the next field. Tab

Working with a set of radio buttons (a set is considered one field)

Move through the radio buttons and select one. Down arrow moves down, Up arrowmoves up.

Exit the field. Tab

Setting a date

Move the cursor within the date field. Right arrow moves right. Left arrowmoves left.

Open the calendar from the date field. Up arrow or Down arrow

Change the year on the calendar. Ctrl-PgDn moves ahead a year.Ctrl-PgUp moves back a year

Change the month on the calendar. PgDn moves ahead a month. PgUpmoves back a month

Change to the beginning or end of the monthon the calendar.

Home moves to the beginning of themonth. End moves to the end of themonth.

Change the week on the calendar. Down arrow moves down one week.Up arrow moves up one week.

Change the day on the calendar. Right arrow moves to the right oneday. Left arrow moves to the left oneday.

Move to today’s date on the calendar. Ctrl-Home

Select the highlighted date. Enter

Close the calendar without selecting a date. Esc



Work with command buttons

Move to a command button. Tab

Execute the command. Space bar or Enter key

TroubleshootingThis section provides usage guidelines and troubleshooting suggestions for running the RADesktop.

¶ When using the Microsoft Internet Explorer browser, you may see the following userinterface-related problems:

v If you receive an error relating to SSL, selectTools → Internet Options. On theInternet Options Settings window, select theAdvanced tab and click on theRestoreDefaults button. This will reactivate SSL 3.0. ClickOK and close all open InternetExplorer windows. Restart the RA Desktop.

v The Result table contains no records after a query reported that a number of recordswere returned.

This problem is due to a delay in painting the applet. You can resolve it by clickingthe browser’sRefresh button to restart the applet.

v The items from the combo box cannot be selected using the mouse.

This problem occurs if a pop-up window falls outside the applet region. This willoccur in the List and Details panels if you select one of the combo boxes withoutscrolling down the panel. This causes the combo box to pop up below the applet’sbottom boundary.

The solution is to select the combo box by using the keyboard. Use the Up or Downarrow, and then press Enter or the space bar. Alternatively, you can scroll the panel toposition the combo box higher and more toward the middle of the applet.


5.R

eference

Notices

This information was developed for products and services offered in the U.S.A. IBM maynot offer the products, services, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currentlyavailable in your area. Any reference to an IBM product, program, or service is not intendedto state or imply that only that IBM product, program, or service may be used. Anyfunctionally equivalent product, program, or service that does not infringe any IBMintellectual property right may be used instead. However, it is the user’s responsibility toevaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter in thisdocument. The furnishing of this document does not give you any license to these patents.You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM IntellectualProperty Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation Licensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any other countrywhere such provisions are inconsistent with local law:INTERNATIONAL BUSINESSMACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS” WITHOUTWARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUTNOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do notallow disclaimer of express or implied warranties in certain transactions, therefore, thisstatement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes areperiodically made to the information herein; these changes will be incorporated in neweditions of the information. IBM may make improvements and/or changes in the product(s)and/or the program(s) described in this information at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience onlyand do not in any manner serve as an endorsement of those Web sites. The materials atthose Web sites are not part of the materials for this IBM product and use of those Web sitesis at your own risk.

IBM may use or distribute any of the information you supply in any way it believesappropriate without incurring any obligation to you.


Notices

Licensees of this program who wish to have information about it for the purpose ofenabling: (i) the exchange of information between independently created programs and otherprograms (including this one) and (ii) the mutual use of the information which has beenexchanged, should contact:

IBM CorporationDepartment LZKS11400 Burnet RoadAustin, TX 78758U.S.A.

Such information may be available, subject to appropriate terms and conditions, including insome cases, payment of a fee.

The licensed program described in this document and all licensed material available for itare provided by IBM under terms of the IBM Customer Agreement, IBM InternationalProgram License Agreement, or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment.Therefore, the results obtained in other operating environments may vary significantly. Somemeasurements may have been made on development-level systems and there is no guaranteethat these measurements will be the same on generally available systems. Furthermore, somemeasurement may have been estimated through extrapolation. Actual results may vary. Usersof this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of thoseproducts, their published announcements or other publicly available sources. IBM has nottested those products and cannot confirm the accuracy of performance, compatibility or anyother claims related to non-IBM products. Questions on the capabilities of non-IBM productsshould be addressed to the suppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change or withdrawalwithout notice, and represent goals and objectives only.

All IBM prices shown are IBM’s suggested retail prices, are current and are subject tochange without notice. Dealer prices may vary.

Trademarks and service marksThe following terms are trademarks of International Business Machines Corporation orTivoli Systems, Inc. in the United States, or other countries, or both:

IBMAIXAIX/6000DB2DB2 Universal DatabaseSecureWayTivoliWebSphere

The Trust Authority program (″the Program″) includes portions of the IBM WebSphereApplication Server and the IBM HTTP Web Server (″IBM Servers″). You are not authorized


to install or use the IBM Servers other than in connection with your licensed use of theProgram. The IBM Servers must reside on the same machine as the Program, and you arenot authorized to install or use the IBM Servers separate from the Program.

The Program includes portions of DB2 Universal Database. You are authorized to install anduse these components only in association with your licensed use of the Program and IBMWebSphere Application Server for the storage and management of data used or generated bythe Program and IBM WebSphere Application Server, and not for other data managementpurposes. For example, this license does not include inbound connections to the databasefrom other applications for queries or report generation. You are authorized to install and usethese components only with and on the same machine as the Program.

Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. inthe United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of MicrosoftCorporation in the United States, other countries, or both.

UNIX is a registered trademark in the United States, other countries, or both and is licensedexclusively through X/Open Company Limited.

Pentium is a trademark of Intel Corporation in the United States, other countries, or both.

This program contains security software from RSA Data Security, Inc.Copyright © 1994 RSA Data Security, Inc. All rights reserved.

This program contains Standard Template Library (STL) software from Hewlett-PackardCompany. Copyright (c) 1994.

¶ Permission to use, copy, modify, distribute and sell this software and its documentationfor any purpose is hereby granted without fee, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appearin supporting documentation. Hewlett-Packard Company makes no representations aboutthe suitability of this software for any purpose. It is provided″as is″ without express orimplied warranty.

This program contains Standard Template Library (STL) software from Silicon GraphicsComputer Systems, Inc. Copyright (c) 1996–1999.

¶ Permission to use, copy, modify, distribute and sell this software and its documentationfor any purpose is hereby granted without fee, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appearin supporting documentation. Silicon Graphics makes no representations about thesuitability of this software for any purpose. It is provided″as is″ without express orimplied warranty.

Other company, product, and service names may be trademarks or service marks of others.


Notices

Related information

The Trust Authority product documentation is available in Portable Document Format (PDF)and HTML format on theIBM SecureWay Trust Authority DocumentationCD-ROM. HTMLversions of some publications are installed with the product and are accessible from the userinterfaces.

Be aware that the product may have changed since the publications were produced. For thelatest product information, and for information about accessing a publication in the languageand format of your choice, see theReadmefile. The latest version of theReadmefile isavailable on theIBM SecureWay Trust Authority Web site:http://www.tivoli.com/support

The Trust Authority library includes the following documentation:

Up and RunningThis book provides an overview of the product. It lists the product requirements,includes installation procedures, and provides information about how to access theonline help available for each product component. This book is printed anddistributed with the product.

System Administration GuideThis book contains general information about administering the Trust Authoritysystem. It includes procedures for starting and stopping the servers, changingpasswords, administering the server components, performing audits, and running dataintegrity checks.

Configuration GuideThis book contains information about how to use the Setup Wizard to configure aTrust Authority system. You can access the HTML version of this guide whileviewing online help for the Wizard.

Registration Authority Desktop GuideThis book contains information about how to use the RA Desktop to administercertificates throughout the certificate life cycle. You can access the HTML version ofthis guide while viewing online help for the Desktop.

User’s GuideThis book contains information about how to obtain and manage certificates. Itprovides procedures for using the Trust Authority browser enrollment forms torequest, renew, and revoke certificates. It also discusses how to preregister forPKIX-compliant certificates, and how to use the Trust Authority Client to managethese certificates. You can access the HTML version of this guide while viewingonline help for the Client.

Customization GuideThis book shows you how to customize the Trust Authority registration facility tosupport the registration and certification goals of your business policies. Forexample, you can learn how to customize HTML and Java Server pages, notificationletters, certificate profiles, and policy exits.


Related

information


The Trust Authority Web site includes other documents that may help you install, administer,and use Trust Authority. For example, you can find supplemental guidelines on the Directoryschema and learn how to integrate Trust Authority with the IBM SecureWay 4758 PCICoprocessor.



Glossary

This glossary defines the terms and abbreviations in this book that may be new or unfamiliarand terms that may be of interest. It includes terms and definitions from:

¶ The IBM Dictionary of Computing, New York: McGraw-Hill, 1994.

¶ The American National Standard Dictionary for Information Systems, ANSIX3.172–1990, American National Standards Institute (ANSI), 1990.

¶ The Answers to Frequently Asked Questions, Version 3.0, California: RSA Data Security,Inc., 1998.

Numbers

4758 PCI Cryptographic CoprocessorA programmable, tamper-responding cryptographic PCI-bus card offering high performance DES and RSAcryptographic processing. The cryptographic processes occur within a secure enclosure on the card. The cardmeets the stringent requirements of the FIPS PUB 140-1 level 4 standard. Software can run within the secureenclosure. For example, credit card transaction processing can use the SET™ standard.

A

Abstract Syntax Notation One (ASN.1)An ITU notation that is used to define the syntax of information data. It defines a number of simple data typesand specifies a notation for identifying these types and for specifying values of these types. These notations canbe applied whenever it is necessary to define the abstract syntax of information without curbing how theinformation is encoded for transmission.

access control list (ACL)A mechanism for limiting the use of a specific resource to authorized users.

ACLAccess control list.

action historyAccumulated events in the life cycle of a credential.

American National Standard Code for Information Interchange (ASCII)The standard code that is used for information interchange among data processing systems, data communicationsystems, and associated equipment. The ASCII set uses a coded character set that consists of 7-bit codedcharacters (8 bits including a bit for parity checking). The character set consists of control characters and graphiccharacters.

American National Standards Institute (ANSI)An organization that establishes the procedures by which accredited organizations create and maintain voluntaryindustry standards in the United States. It consists of producers, consumers, and general interest groups.

ANSIAmerican National Standards Institute.

appletA computer program that is written in Java® and runs inside a Java-compatible Web browser. Also known as aJava applet.

ASCIIAmerican National Standard Code for Information Interchange.

ASN.1Abstract Syntax Notation One.


Glossary

asymmetric cryptographyCryptography that uses different, asymmetric keys for encryption and decryption. Each user receives a pair ofkeys: a public key accessible to all, and a private key known only to the user. A secure transaction can occurwhen the public key and the corresponding private key match, enabling the decryption of the transaction. This isalso known as key pair cryptography.Contrast withsymmetric cryptography.

asynchronous communicationA mode of communication that does not require the sender and recipient to be present simultaneously.

audit clientAny client in the system that sends audit events to the Trust Authority Audit server. Before an audit client sendsan event to the Audit server, it establishes a connection with the Audit server. After the connection is established,the client uses the audit subsystem client library to deliver events to the Audit server.

audit logIn Trust Authority, a table in a database that stores one record per audit event.

Audit serverA Trust Authority server that receives audit events from audit clients and writes them to an audit log.

audit subsystemIn Trust Authority, a subsystem that provides the support for logging security-relevant actions. It conforms torecommendations in standard X9.57, of the standards set forth inPublic Key Cryptography for the FinancialServices Industry.

audit trailData, in the form of a logical path, that links a sequence of events. An audit trail enables tracing of transactionsor the history of a given activity.

authenticationThe process of reliably determining the identity of a communicating party.

authorizationPermission to access a resource.

B

base64 encodingA common means of conveying binary data with MIME.

Basic Encoding Rules (BER)The rules specified in ISO 8825 for encoding data units described in abstract syntax notation 1 (ASN.1). Therules specify the encoding technique, not the abstract syntax.

BERBasic Encoding Rules.

browserSeeWeb browser.

browser certificateA digital certificate is also known as a client-side certificate. It is issued by a CA through an SSL-enabled Webserver. Keys in an encrypted file enable the holder of the certificate to encrypt, decrypt, and sign data. Typically,the Web browser stores these keys. Some applications permit storage of the keys on smart cards or other media.See alsodigital certificate.

business process objectsA set of code used to accomplish a specific registration operation, such as checking the status of an enrollmentrequest or verifying that a public key was sent.

business process templateA set of business process objects that are run in a specified order.


bytecodeMachine-independent code that is generated by the Java compiler and run by the Java interpreter.

C

CACertificate authority.

CA certificateA certificate your Web browser accepts, at your request, from a CA it does not recognize. The browser can thenuse this certificate to authenticate communications with servers that hold certificates issued by that CA.

CA hierarchyIn Trust Authority, a trust structure whereby one CA is located at the top of the structure and up to four layers ofsubordinate CAs are located below. When users or servers are registered with a CA, they receive a certificatesigned that is by that CA, and they inherit the certification hierarchy of the layers above.

CA serverThe server for the Trust Authority Certificate Authority (CA) component.

CAST-64A block cipher algorithm that uses a 64-bit block size and a 6-bit key. It was designed by Carlisle Adams andStafford Tavares.

CCAIBM Common Cryptographic Architecture.

CDSACommon Data Security Architecture.

certificate authority (CA)The software responsible for following an organization’s security policies and assigning secure electronicidentities in the form of certificates. The CA processes requests from RAs to issue, renew, and revoke certificates.The CA interacts with the RA to publish certificates and CRLs in the Directory.See alsodigital certificate.

certificate extensionAn optional feature of the X.509v3 certificate format that provides for the inclusion of additional fields in thecertificate. There are standard extensions and user-defined extensions. Standard extensions exist for variouspurposes, including key and policy information, subject and issuer attributes, and certification path constraints.

certificate policyA named set of rules that indicates the applicability of a certificate to a particular class of applications that havecommon security requirements. For example, a certificate policy might indicate whether a particular certificationtype allows a user to conduct transactions for goods within a given price range.

certificate profileA set of characteristics that define the type of certificate wanted (such as SSL certificates or IPSec certificates).The profile aids in managing certificate specification and registration. The issuer can change the names of theprofiles and specify characteristics of the desired certificate, such as the validity period, key usage, DNconstraints, and so forth.

certificate revocation list (CRL)A digitally signed, time-stamped list of certificates that the certificate authority has revoked. The certificates inthis list should be considered unacceptable.See alsodigital certificate.

certificationThe process during which a trusted third party issues an electronic credential that vouches for an individual,business, or organizational identity.

CGICommon Gateway Interface.


Glossary

chain validationThe validation of all CA signatures in the trust hierarchy through which a given certificate was issued. Forexample, if a CA was issued its signing certificate by another CA, both signatures are validated during validationof the certificate that the user presents.

classIn object-oriented design or programming, a group of objects that share a common definition and therefore sharecommon properties, operations, and behavior.

cleartextData that is not encrypted.Synonym forplaintext.

client(1) A functional unit that receives shared services from a server. (2) A computer or program that requests aservice of another computer or program.

client/serverA model in distributed processing in which a program at one site sends a request to a program at another site andwaits for a response. The requesting program is called a client; the answering one is called a server.

code signingA technique for signing executable programs with digital signatures. Code signing is designed to improve thereliability of software that is distributed over the Internet.

Common Cryptographic Architecture (CCA)IBM software that enables a consistent approach to cryptography on major IBM computing platforms. It supportsapplication software that is written in a variety of programming languages. Application software can call on CCAservices to perform a broad range of cryptographic functions, including DES and RSA encryption.

Common Data Security Architecture (CDSA )An initiative to define a comprehensive approach to security service and security management forcomputer-based security applications. It was designed by Intel, to make computer platforms more secure forapplications.

Common Gateway Interface (CGI)Standard method of transmitting information between Web pages and Web servers.

confidentialityThe property of not being divulged to unauthorized parties.

credentialConfidential information used to prove one’s identity in an authentication exchange. In environments for networkcomputing, the most common type of credential is a certificate that a CA has created and signed.

CRLCertificate revocation list.

CRL publication intervalSet in the CA configuration file, the interval of time between periodic publications of the CRL to the Directory.

cross-certificationA trust model whereby one CA issues to another CA a certificate that contains the public key associated with itsprivate signature key. A cross-certified certificate allows client systems or end entities in one administrativedomain to communicate securely with client systems or end entities in another domain.

cryptographicPertaining to the transformation of data to conceal its meaning.

cryptographyIn computer security, the principles, means, and methods for encrypting plaintext and decrypting encrypted text.


D

daemonA program that carries out tasks in the background. It is implicitly called when a condition occurs that requiresits help. A user need not be aware of a daemon, because the system usually spawns it automatically. A daemonmight live forever or the system might regenerate it at intervals.The term (pronounceddemon) comes from mythology. Later, it was rationalized as the acronym DAEMON: DiskAnd Execution MONitor.

Data Encryption Standard (DES)An encryption block cipher, defined and endorsed by the U.S. government in 1977 as an official standard. IBMdeveloped it originally. DES has been extensively studied since its publication and is a well-known and widelyused cryptographic system.DES is a symmetric cryptographic system. When it is used for communication, both the sender and receiver mustknow the same secret key. This key is used to encrypt and decrypt the message. DES can also be used forsingle-user encryption, such as to store files on a hard disk in encrypted form. DES has a 64-bit block size anduses a 56-bit key during encryption. It is was originally designed for implementation in hardware. NIST hasrecertified DES as an official U.S. government encryption standard every five years.

Data Storage Library (DL)A module that provides access to persistent data stores of certificates, CRLs, keys, policies, and othersecurity-related objects.

decryptTo undo the encryption process.

DEKDocument encrypting key.

DERDistinguished Encoding Rules.

DESData Encryption Standard.

Diffie-HellmanA method of establishing a shared key over an insecure medium, named after the inventors (Diffie and Hellman).

digital certificateAn electronic credential that is issued by a trusted third party to a person or entity. Each certificate is signed withthe private key of the CA. It vouches for an individual, business, or organizational identity.Depending on the role of the CA, the certificate can attest to the authority of the bearer to conduct e-businessover the Internet. In a sense, a digital certificate performs a similar role to a driver’s license or a medicaldiploma. It certifies that the bearer of the corresponding private key has authority to conduct certain e-businessactivities.A certificate contains information about the entity it certifies, whether person, machine, or computer program. Itincludes the certified public key of that entity.

digital certificationSeecertification.

digital signatureA coded message added to a document or data that guarantees the identity of the sender.A digital signature can provide a greater level of security than a physical signature. The reason for this is that adigital signature is not an encrypted name or series of simple identification codes. Instead, it is an encryptedsummary of the message that is being signed. Thus, affixing a digital signature to a message provides solididentification of the sender. (Only the sender’s key can create the signature.) It also fixes the content of themessage that is being signed (the encrypted message summary must match the message content or the signatureis not valid). Thus, a digital signature cannot be copied from one message and applied to another because thesummary, or hash, would not match. Any alterations to the signed message would also invalidate the signature.


Glossary

Digital Signature Algorithm (DSA)A public key algorithm that is used as part of the Digital Signature Standard. It cannot be used for encryption,only for digital signatures.

DirectoryA hierarchical structure intended as a global repository for information related to communications (such as e-mailor cryptographic exchanges). The Directory stores specific items that are essential to the PKI structure, includingpublic keys, certificates, and certificate revocation lists.Data in the Directory is organized hierarchically in the form of a tree, with the root at the top of the tree. Often,higher level organizations represent individual countries, governments, or companies. Users and devices aretypically represented as leaves of each tree. These users, organizations, localities, countries, and devices eachhave their own entry. Each entry consists of typed attributes. These provide information about the object that theentry represents.Each entry in the Directory is bound with an associated distinguished name (DN). This is unique when the entryincludes an attribute that is known to be unique to the real world object. Consider the following example DN. Init, the country (C) is US, the organization (O) is IBM, the organizational unit (OU) is Trust, and the commonname (CN) is CA1.

C=US/O=IBM/OU=Trust/CN=CA1

Directory serverIn Trust Authority, the IBM SecureWay Directory. This Directory supports LDAP standards and uses DB2® as itsbase.

Distinguished Encoding Rules (DER)Provides constraints on the BER. DER selects just one type of encoding from those that the encoding rules allow,eliminating all of the sender’s options.

distinguished name (DN)The unique name of a data entry that is stored in the Directory. The DN uniquely identifies the position of anentry in the hierarchical structure of the Directory.

DLData Storage Library.

DNDistinguished name.

document encrypting key (DEK)Typically, a symmetric encryption/decryption key, such as DES.

domainSeesecurity domainand registration domain.

DSADigital Signature Algorithm.

E

e-businessBusiness transactions over networks and through computers. It includes buying and selling goods and services. Italso includes transferring funds through digital communications.

e-commerceBusiness-to-business transactions. It includes buying and selling goods and services (with customers, suppliers,vendors, and others) on the Internet. It is a primary element of e-business.

end-entityThe subject of a certificate that is not a CA.

encryptTo scramble information so that only someone who has the appropriate decryption code can obtain the originalinformation through decryption.


encryption/decryptionUsing the public key of the intended recipient to encipher data for that person, who then uses the private key ofthe pair to decipher the data.

enrollmentIn Trust Authority, the process of obtaining credentials for use over the Internet. Enrollment encompasses therequesting, renewing, and revoking of certificates.

enrollment attributeAn enrollment variable that is contained in an enrollment form. Its value reflects the information that is capturedduring the enrollment. The value of the enrollment attribute remains the same throughout the lifetime of thecredential.

enrollment variableSeeenrollment attribute.

extranetA derivative of the Internet that uses similar technology. Companies are beginning to apply Web publishing,electronic commerce, message transmission, and groupware to multiple communities of customers, partners, andinternal staff.

F

File Transfer Protocol (FTP)An Internet client/server protocol for use in transferring files between computers.

firewallA gateway between networks that restricts the flow of information between networks. Typically, the purpose of afirewall is to protect internal networks from unauthorized use from the outside.

FTPFile Transfer Protocol.

G

gatewayA functional unit that allows incompatible networks or applications to communicate with each other.

H

hierarchyThe organization of Certificate Authorities (CA) in a trust chain, starting with the self-signed CA or root of rootsat the top, and ending with the CA that issues certificates to end users.

HTMLHypertext Markup Language.

HTTPHypertext Transaction Protocol.

HTTP serverA server that handles Web-based communications with browsers and other programs in a network.

hypertextText that contains words, phrases, or graphics that the reader can click with the mouse to retrieve and displayanother document. These words, phrases, or graphics are known as hyperlinks. Retrieving them is known aslinking to them.

Hypertext Markup Language (HTML)A markup language for coding Web pages. It is based on SGML.


|||

Glossary

Hypertext Transaction Protocol (HTTP)An Internet client/server protocol for transferring hypertext files across the Web.

I

ICLIssued certificate list.

IETF (Internet Engineering Task Force)A group that focuses on engineering and developing protocols for the Internet. It represents an internationalcommunity of network designers, operators, vendors, and researchers. The IETF is concerned with thedevelopment of the Internet architecture and the smooth use of the Internet.

IniEditorIn Trust Authority, a tool used to edit configuration files.

instanceIn DB2, an instance is a logical database management environment for storing data and running applications. Itallows definition of a common set of configuration parameters for multiple databases.

integrityA system protects the integrity of data if it prevents unauthorized modification (as opposed to protecting theconfidentiality of data, which prevents unauthorized disclosure).

integrity checkingThe checking of audit records that result from transactions with external components.

internal structureSeeschema.

International Standards Organization (ISO)An international organization tasked with developing and publishing standards for everything from wine glassesto computer network protocols.

International Telecommunication Union (ITU)An international organization within which governments and the private sector coordinate globaltelecommunication networks and services. It is the leading publisher of telecommunication technology, regulatory,and standards information.

InternetA worldwide collection of networks that provide electronic connection between computers. This enables them tocommunicate with each other via software devices such as electronic mail or Web browsers. For example, someuniversities are on a network that in turn links with other similar networks to form the Internet.

intranetA network within an enterprise that usually resides behind firewalls. It is a derivative of the Internet and usessimilar technology. Technically, intranet is a mere extension of the Internet. HTML and HTTP are some of thecommonalties.

IPSecAn Internet Protocol Security standard, developed by the IETF. IPSec is a network layer protocol, designed toprovide cryptographic security services that flexibly support combinations of authentication, integrity, accesscontrol, and confidentiality. Because of its strong authentication features, it has been adopted by many VPNproduct vendors as the protocol for establishing secure point-to-point connections over the Internet.

ISOInternational Standards Organization.

issued certificate list (ICL)A complete list of the certificates that have been issued and their current status. Certificates are indexed by serialnumber and state. This list is maintained by the CA and stored in the CA database.


ITUInternational Telecommunication Union.

J

JavaA set of network-aware, non-platform-specific computer technologies developed by Sun Microsystems,Incorporated. The Java environment consists of the Java OS, the virtual machines for various platforms, theobject-oriented Java programming language, and several class libraries.

Java appletSeeapplet.Contrast withJava application.

Java applicationA stand-alone program that is written in the Java language. It runs outside the context of a Web browser.

Java classA unit of Java program code.

Java languageA programming language, developed by Sun Microsystems, designed specifically for use in applet and agentapplications.

Java Virtual Machine (JVM)The part of the Java run-time environment responsible for interpreting bytecodes.

K

keyA quantity used in cryptography to encipher or decipher information.

Key Backup and RecoveryThis feature of Trust Authority enables you to backup and recover the end entity certificates and theircorresponding public and private keys certified by Trust Authority. The certificate and keys are stored in a PKCS#12 file. This file is protected by a password. The password is set at the time the certificate and keys are backedup.

key pairCorresponding keys that are used in asymmetric cryptography. One key is used to encrypt and the other todecrypt.

KeyStoreA DL for storing Trust Authority component credentials, such as keys and certificates, in an encrypted format.

L

LDAPLightweight Directory Access Protocol.

Lightweight Directory Access Protocol (LDAP )A protocol used to access the Directory.

M

MACMessage authentication code.

MD2A 128-bit message-digest hash function, designed by Ron Rivest. It is used with MD5 in the PEM protocols.

MD4A 128-bit message-digest hash function, designed by Ron Rivest. It is several times faster than MD2.


Glossary

MD5A one-way message-digest hash function, designed by Ron Rivest. It is an improved version of MD4. MD5processes input text in 512-bit blocks, divided into 16 32-bit sub-blocks. The output of the algorithm is a set offour 32-bit blocks, which concatenate to form a single 128-bit hash value. It is also used along with MD2 in thePEM protocols.

message authentication code (MAC)A secret key that is shared between the sender and the recipient. The sender authenticates, and the recipientverifies. In Trust Authority, MAC keys are stored in the KeyStores for the CA and Auditing components.

message digestAn irreversible function that takes an arbitrary-sized message and produces a fixed length quantity. MD5 is anexample of a message digest algorithm.

MIME (Multipurpose Internet Mail Extensions)A freely available set of specifications that allows the interchange of text in languages with different charactersets. it also allows multimedia e-mail among many different computer systems that use Internet mail standards.For example, the e-mail messages may contain character sets other than US-ASCII, enriched text, images, andsounds.

modulusIn the RSA public key cryptographic system, the product (n) of two large primes:p andq. The best size for anRSA modulus depends on one’s security needs. The larger the modulus, the greater the security. The current RSALaboratories–recommended key sizes depend on the planned use for the key: 768 bits for personal use, 1024 bitsfor corporate use, and 2048 bits for extremely valuable keys like the key pair of a CA. A 768-bit key is expectedto be secure until at least the year 2004.

N

National Language Support (NLS)Support within a product for differences in locales, including language, currency, date and time format, andnumeric presentation.

National Security Agency (NSA)The official security body of the U.S. government.

NISTNational Institute of Standards and Technology, formerly known as NBS (National Bureau of Standards). Itpromotes open standards and interoperability in computer-based industries.

NLSNational language support.

nonceA string that is sent down from a server or application, requesting user authorization. The user that is asked forauthentication signs the nonce with a private key. The user’s public key and the signed nonce are sent back to theserver or application that requested authentication. The server then attempts to decipher the signed nonce with theuser’s public key. If the deciphered nonce is the same as the original nonce that was sent, the user isauthenticated.

non-repudiationThe use of a digital private key to prevent the signer of a document from falsely denying having signed it.

NSANational Security Agency.

O

objectIn object-oriented design or programming, an abstraction encapsulating data and the operations associated withthat data.See alsoclass.


object identifier (OID)An administratively assigned data value of the type defined in abstract syntax notation 1 (ASN.1).

object typeThe kind of object that can be stored in the Directory. For example, an organization, meeting room, device,person, program, or process.

ODBCOpen Database Connectivity.

Open Database Connectivity (ODBC)A standard for accessing different database systems.

Open Systems Interconnect (OSI)The name of the computer networking standards that the ISO approved.

OSIOpen Systems Interconnect.

P

PC cardSimilar to a smart card, and sometimes called a PCMCIA card. This card is somewhat larger than a smart cardand usually has a greater capacity.

PEMPrivacy-enhanced mail.

PKCSPublic Key Cryptography Standards.

PKCS #1SeePublic Key Cryptography Standards.





PKIPublic key infrastructure.

PKIXAn X.509v3-based PKI.

PKIX certificate management protocol (CMP)A protocol that enables connections with PKIX-compliant applications. PKIX CMP uses TCP/IP as its primarytransport mechanism, but an abstraction layer over sockets exists. This enables support for additional pollingtransports.

PKIX CMPPKIX certificate management protocol.

PKIX listenerThe public HTTP server that a particular registration domain uses to listen for requests from the Trust AuthorityClient application.


Glossary

plaintextUnencrypted data.Synonym forcleartext.

policy exitIn a registration facility, an organization-defined program that is called by the registration application. The rulesspecified in a policy exit apply the organization’s business and security preferences to the enrollment process.

preregistrationIn Trust Authority, a process that allows one user, typically an administrator, to enroll other users. If the requestis approved, the RA provides information that allows the user to obtain the certificate at a later time using theTrust Authority Client application.

privacyProtection from the unauthorized disclosure of data.

privacy-enhanced mail (PEM)The Internet privacy-enhanced mail standard, that the Internet Architect Board (IAB) adopted to provide secureelectronic mail over the Internet. The PEM protocols provide for encryption, authentication, message integrity,and key management.

private keyThe key in a public/private key pair that is available only to its owner. It enables the owner to receive a privatetransaction or make a digital signature. Data signed with a private key can be verified only with thecorresponding public key.Contrast withpublic key.See alsopublic/private key pair.

protocolAn agreed-on convention for inter-computer communication.

proxy serverAn intermediary between the computer that is requesting access (computer A) and the computer that is beingaccessed (computer B). Thus, if an end user makes a request for a resource from computer A, this request isdirected to a proxy server. The proxy server makes the request, gets the response from computer B, and thenforwards the response to the end user. Proxy servers are useful for accessing World Wide Web resources frominside a firewall.

public keyThe key in a public/private key pair that is made available to others. It enables them to direct a transaction to theowner of the key or verify a digital signature. Data encrypted with the public key can be decrypted only with thecorresponding private key.Contrast withprivate key.See alsopublic/private key pair.

Public Key Cryptography Standards (PKCS)Informal inter-vendor standards developed in 1991 by RSA Laboratories with representatives from variouscomputer vendors. These standards cover RSA encryption, the Diffie-Hellman agreement, password-basedencryption, extended-certificate syntax, cryptographic message syntax, private-key information syntax, andcertification syntax.

¶ PKCS #1 describes a method for encrypting data by using the RSA public key cryptosystem. Its intended useis in the construction of digital signatures and digital envelopes.

¶ PKCS #7 specifies a general format for cryptographic messages.

¶ PKCS #10 specifies a standard syntax for certification requests.

¶ PKCS #11 defines a technology-independent programming interface for cryptographic devices such as smartcards.

¶ PKCS #12 specifies a portable format for storing or transporting a user’s private keys, certificates,miscellaneous secrets, and so forth.

public key infrastructure (PKI)A standard for security software that is based on public key cryptography. The PKI is a system of digitalcertificates, certificate authorities, registration authorities, certificate management services, and distributeddirectory services. It is used to verify the identity and authority of each party involved in any transaction over theInternet. These transactions might involve operations where identity verification is required. For example, theymight confirm the origin of proposal bids, authors of e-mail messages, or financial transactions.


The PKI achieves this by making the public encryption keys and certificates of users available for authenticationby a valid individual or organization. It provides on-line directories that contain the public encryption keys andcertificates that are used in verifying digital certificates, credentials, and digital signatures.The PKI provides a means for swift and efficient responses to verification queries and requests for publicencryption keys. It also identifies potential security threats to the system and maintains resources to deal withsecurity breaches. Lastly, the PKI provides a digital timestamping service for important business transactions.

public/private key pairA public/private key pair is part of the concept of key pair cryptography (introduced in 1976 by Diffie andHellman to solve the key management problem). In their concept, each person obtains a pair of keys, one calledthe public key and the other called the private key. Each person’s public key is made public while the private keyis kept secret. The sender and receiver do not need to share secret information: all communications involve onlypublic keys, and no private key is ever transmitted or shared. It is no longer necessary to trust somecommunications channel to be secure against eavesdropping or betrayal. The only requirement is that public keysmust be associated with their users in a trusted (authenticated) manner (for instance, in a trusted directory).Anyone can send a confidential message by using public information. However, the message can be decryptedonly with a private key, which is in the sole possession of the intended recipient. Furthermore, key paircryptography can be used not only for privacy (encryption), but also for authentication (digital signatures).

R

RARegistration authority.

RA DesktopA Java applet that provides RAs with a graphical interface for processing requests for credentials andadministering them throughout their lifetime.

RA serverThe server for the Trust Authority Registration Authority component.

RC2A variable key-size block cipher, designed by Ron Rivest for RSA Data Security.RC stands forRon’s CodeorRivest’s Cipher. It is faster than DES and is designed as a drop-in replacement for DES. It can be made moresecure or less secure against exhaustive key search than DES by using appropriate key sizes. It has a block sizeof 64 bits and is about two to three times faster than DES in software. RC2 can be used in the same modes asDES.An agreement between the Software Publishers Association (SPA) and the United States government gives RC2special status. This makes the export approval process simpler and quicker than the usual cryptographic exportprocess. However, to qualify for quick export approval a product must limit the RC2 key size to 40 bits withsome exceptions. An additional string can be used to thwart attackers who try to precompute a large look-uptable of possible encryptions.

registrarA user who has been authorized to access the RA Desktop, to administer certificates and requests for certificates.

registration authority (RA)The software that administers digital certificates to ensure that an organization’s business policies are appliedfrom the initial receipt of an enrollment request through certificate revocation.

registration databaseContains information about certificate requests and issued certificates. The database stores enrollment data and allchanges to the certificate data throughout its life cycle. The database can be updated by RA processes and policyexits, or by registrars.

registration domainA set of resources, policies, and configuration options related to specific certificate registration processes. Thedomain name is a subset of the URL that is used to run the registration facility.

registration facilityA Trust Authority application framework that provides specialized means of enrolling entities (such as browsers,routers, e-mail, and secure client applications) and managing certificates throughout their life cycle.


Glossary

registration processIn Trust Authority, the steps for validating a user, so that the user and the user’s public key can become certifiedand participate in transactions. This process can be local or Web-based, and can be automated or administered byhuman interaction.

repudiateTo reject as untrue; for example, to deny that you sent a specific message or submitted a specific request.

request IDA 24- to 32-character ASCII value that uniquely identifies a certificate request to the RA. This value can be usedon the certificate request transaction to retrieve the status of the request or the certificate that is associated withit.

RSAA public key cryptographic algorithm that is named for its inventors (Rivest, Shamir, and Adelman). It is used forencryption and digital signatures.

S

schemaAs relates to the Directory, the internal structure that defines the relationships between different object types.

Secure Electronic Transaction (SET)An industry standard that facilitates secure credit card or debit card payment over untrusted networks. Thestandard incorporates authentication of cardholders, merchants, and card-issuing banks because it calls for theissuance of certificates.

Secure Sockets Layer (SSL )An IETF standard communications protocol with built-in security services that are as transparent as possible tothe end user. It provides a digitally secure communications channel.An SSL-capable server usually accepts SSL connection requests on a different port than requests for standardHTTP requests. SSL creates a session during which the exchange signals to set up communications between twomodems need to occur only once. After that, communication is encrypted. Message integrity checking continuesuntil the SSL session expires.

security domainA group (a company, work group or team, educational or governmental) whose certificates have been certified bythe same CA. Users with certificates that are signed by a CA can trust the identity of another user that has acertificate signed by the same CA.

server(1) In a network, a data station that provides functions to other stations; for example, a file server. (2) In TCP/IP,a system in a network that handles the requests of a system at another site, called a client/server.

server certificateA digital certificate, issued by a CA to enable a Web server to conduct SSL-based transactions. When a browserconnects to the server by using the SSL protocol, the server sends the browser its public key. This enablesauthentication of the identity of the server. It also enables encrypted information to be sent to the server.See alsoCA certificate, digital certificate,and browser certificate.

servletA server-side program that gives Java-enabled servers additional functionality.

SETSecure Electronic Transaction.

SGMLStandard Generalized Markup Language.

SHA-1 (Secure Hash Algorithm)An algorithm that was designed by NIST and NSA for use with the Digital Signature Standard. The standard isthe Secure Hash Standard; SHA is the algorithm that the standard uses. SHA produces a 160-bit hash.


signTo use your private key to generate a signature. The signature is a means of proving that you are responsible forand approve of the message you are signing.

signing/verifyingTo sign is to use a private digital key to generate a signature. To verify is to use the corresponding public key toverify the signature.

Simple Mail Transfer Protocol (SMTP)A protocol that transfers electronic mail over the Internet.

site certificateSimilar to a CA certificate, but valid only for a specific Web site.See alsoCA certificate.

smart cardA piece of hardware, typically the size of a credit card, for storing a user’s digital keys. A smart card can bepassword-protected.

S/MIMEA standard that supports the signing and encryption of e-mail transmitted across the Internet.SeeMIME.

SMTPSimple Mail Transfer Protocol.

SSLSecure Sockets Layer.

Standard Generalized Markup Language (SGML)A standard for describing markup languages. HTML is based on SGML.

symmetric cryptographyCryptography that uses the same key for both encryption and decryption. Its security rests in the key — revealingthe key means that anyone could encipher and decipher messages. The communication remains secret only aslong as the key remains secret.Contrast withasymmetric cryptography.

symmetric keyA key that can be used for both encryption and decryption.See alsosymmetric cryptography.

T

targetA designated or selected data source.

TCP/IPTransmission Control Protocol/Internet Protocol.

top CAThe CA at the top of a PKI CA hierarchy.

TPTrust Policy.

transaction IDAn identifier provided by the RA in response to a preregistration enrollment request. It enables a user running theTrust Authority Client application to obtain the pre-approved certificate.

Transmission Control Protocol/Internet Protocol (TCP/IP )A set of communication protocols that support peer-to-peer connectivity functions for local and wide areanetworks.

triple DESA symmetric algorithm that encrypts the plaintext three times. Although many ways exist to do this, the mostsecure form of multiple encryption is triple-DES with three distinct keys.


Glossary

Trust AuthorityAn integrated IBM SecureWay security solution that supports the issuance, renewal, and revocation of digitalcertificates. These certificates can be used in a wide range of Internet applications, providing a means toauthenticate users and ensure trusted communications.

trust chainA set of certificates that consists of the trusted hierarchy from the user certificate to the root or self-signedcertificate.

trust domainA set of entities whose certificates have been certified by the same CA.

trusted computer base (TCB)The software and hardware elements that collectively enforce an organization’s computer security policy. Anyelement or part of an element that can effect security policy enforcement is security-relevant and part of theTCB. The TCB is an object that is bounded by the security perimeter. The mechanisms that carry out the securitypolicy must be non-circumventable, and must prevent programs from gaining access to system privileges towhich they are not authorized.

trust modelA structuring convention that governs how certificate authorities certify other certificate authorities.

tunnelIn VPN technology, an on-demand virtual point-to-point connection made through the Internet. While connected,remote users can use the tunnel to exchange secure, encrypted, and encapsulated information with servers on thecorporate private network.

typeSeeobject type.

U

UnicodeA 16-bit character set that is defined by ISO 10646. The Unicode character encoding standard is an internationalcharacter code for information processing. The Unicode standard encompasses the principal scripts of the worldand provides the foundation for the internationalization and localization of software. All source code in the Javaprogramming environment is written in Unicode.

Uniform Resource Locator (URL)A scheme for addressing resources on the Internet. The URL specifies the protocol, host name or IP address. Italso includes the port number, path, and resource details needed to access a resource from a particular machine.

URLUniform Resource Locator.

user authenticationThe process of validating that the originator of a message is the identifiable and legitimate owner of the message.It also validates that you are communicating with the end user or system you expected to.

UTF-8A transformation format. It enables information processing systems that handle only 8-bit character sets toconvert 16-bit Unicode to an 8-bit equivalent and back again without loss of information.

V

Virtual Private Network (VPN)A private data network that uses the Internet rather than phone lines to establish remote connections. Becauseusers access corporate network resources through an Internet Service Provider (ISP) rather than a telephonecompany, organizations can significantly reduce remote access costs. A VPN also enhances the security of dataexchanges. In traditional firewall technology, message content can be encrypted, but the source and destinationaddresses are not. In VPN technology, users can establish a tunnel connection in which the entire informationpacket (content and header) is encrypted and encapsulated.


|||

VPNVirtual Private Network.

W

Web browserClient software that runs on a desktop PC and enables the user to browse the World Wide Web or local HTMLpages. It is a retrieval tool that provides universal access to the large collection of hypermedia material availablein the Web and Internet. Some browsers can display text and graphics, and some can display only text. Mostbrowsers can handle the major forms of Internet communication, such as FTP transactions.

Web serverA server program that responds to requests for information resources from browser programs.See alsoserver.

WebSphere™ Application ServerAn IBM product that helps users develop and manage high-performance Web sites. It eases the transition fromsimple Web publishing to advanced e-business Web applications. The WebSphere Application Server consists of aJava-based servlet engine that is independent of both the Web server and its underlying operating system.

World Wide Web (WWW)That part of the Internet where a network of connections is established between computers that containhypermedia materials. These materials provide information and can provide links to other materials in the WWWand Internet. WWW resources are accessed through a Web browser program.

X

X.500A standard for putting into effect a multipurpose, distributed and replicated directory service by interconnectingcomputer systems. Jointly defined by the International Telecommunications Union (ITU), formerly known asCCITT, and the International Organization for Standardization and International Electro-Chemical Commission(ISO/IEC).

X.509 certificateA widely-accepted certificate standard designed to support secure management and distribution of digitally signedcertificates across secure Internet networks. The X.509 certificate defines data structures that accommodateprocedures for distributing public keys that are digitally signed by trusted third parties.

X.509 Version 3 certificateThe X.509v3 certificate has extended data structures for storing and retrieving certificate application information,certificate distribution information, certificate revocation information, policy information, and digital signatures.X.509v3 processes create time-stamped CRLs for all certificates. Each time a certificate is used, X.509v3capabilities allow the application to check the validity of the certificate. It also allows the application todetermine whether the certificate is on the CRL. X.509v3 CRLs can be constructed for a specific validity period.They can also be based on other circumstances that might invalidate a certificate. For example, if an employeeleaves an organization, their certificate would be put on the CRL.


Glossary

Index

Aaccess control list 31access to RA Desktop 5accessing the RA Desktop 10action by registrar

adding a comment 19altering attributes 15approving a key recovery request 20approving a request 20changing a validity period 18changing renewability 20getting feedback 13keeping a request pending 20permissible for domain 22, 37publish a certificate 22rejecting a key recovery request 20rejecting a request 20revoking a certificate 21set a request profile 19

action historycolumns in table 38events 38viewing 15

activate suspended certificate 21attributes, certificate and request

altering 15business process variables 18certificate extensions 40changing values 18of request or certificate 39viewing 15

attributes, database record 27authentication 31authorization for registrar 9

Bbackup, key 30browser 6

preparation 5, 6scenario for preregistration 25supported 26URL 6

browser certificate 7, 10, 29browser support 26business process variables 18

CCA certificate 7, 29CA hierarchy 27calendar 13certificate 28

action history 15, 38categories 28database record 26details of 38distinguished names 28expiring 12for running RA Desktop 7for using enrollment services 7, 29ongoing administration 30pending request for 12presenting 10publish 22, 30renewability 20, 30renewable 29request for 3requesting for browser 7resuming 21status 41suspending 21types 40validity period 18

certificate attributes 15, 39Certificate Authority 27certificate extensions 29, 40certificate life cycle 27, 29certificate revocation list 28certificate type 40certification 27

cross-certification 27hierarchy 27

Challenge Response 7, 8column headings

action history table 15attributes table 15query results table 13

column valuesaction history table 38attributes table 38, 39query results table 36

compromised key 37CRL, resume certificate in 21cross-certification 27

Ddatabase records

attributes 27


Index

database records(continued)fields for retrieving 33handling by RA 3limiting retrieval 13predefined query 36querying 11selecting for action 17setting number per page 13

dates, specifying 13DB2 26Details tab 38device certificate 29Directory access 28distinguished name 28domain, registration 27

Ee-mail notification 7enrollment attributes 39enrollment request

action history 38automated evaluation 26checking request status 8database record 27enrollment form 25evaluating 26fields for retrieving 33handling by RA 3, 17of registrar 7pending 12preregistration 25status 41Web browser support 26

enrollment request life cycle 27enrollment Web page

accessing 6CA certificate for using 7, 29uses 25

exiting the RA Desktop 22expiration of certificate 12, 18

Ffeedback during processing 13field help 42fields, RA Desktop

help for 42on Details tab 38on Query tab 33on Results tab 37

file permissions, registrar 9, 17, 18

Ggrace period, certificate 29

Hhelp for RA Desktop 33How do I... topics 5

Iinstalling the RA Desktop 9Internet Explorer

default certificate 10release 43

Kkey, backup 30key, compromised 37key, recovery 12, 30keyboard, alternatives to a mouse 43

LLDAP protocol 28List tab

records per page 13viewing pages 14

Mmultiple registrars 31

Ooverview

registrar role 3Trust Authority 1

Ppage size for results

options 36setting 13

pending key recovery request, retrieving 12


permissions 37check for domain 22for action in domain 17, 22getting for domain 9

PKCS #10 request for certificate 29PKIX-compliant application 28preparation to use the RA Desktop 5preregistration 25

scenario for tasks 25processing attributes 39profile, request 19, 31progress bar 42protocol, Directory access 28protocols 28publish certificate 22, 30purpose of certificate 40

Qquery

by renewability 35by status 33expiring certificates 12feedback during processing 13fields 33pending requests 12predefined 36preparing 11revising 13servlet to support 31submitting 11

query resultsacting on 17, 18, 20, 21displaying as a list 13, 36displaying in detail 14expiring certificates 12key recovery 12limiting records per page 13paging through 14pending requests 12selecting records in 17setting retrieval limit 13, 35viewing action history 15viewing attributes 15viewing query results 13

Query tab 33

RRA Desktop

accessing 10authorization for 9enrollment to access 7exiting 22installing 9preparing to use 5reconfiguring 10

RA Desktop (continued)servlet to support 31uninstalling 23

reactivate certificate 37reasons for revocation 37reconfiguring the RA Desktop 10records, selecting 17records per page, Results tab 13, 35, 36recovery, key 12Reference topics 33registrar

actions by 37automated tasks 3, 26certificate to access RA Desktop 7checking enrollment status 8comment regarding action 19enrolling 7history of actions 15, 38impact on registration database 27multiple registrars 31permissions for domain 22, 37role 3servlet to support tasks 31

registration 26actions for 37applying business policy 26automated 3, 26need for 3policies 27tasks, registrar 3Web browser support 26

Registration Authority 26registration database 3, 26registration domain 7, 9, 27, 31registration records 27

attributes 27fields for retrieving 33handling by RA 3limiting retrieval 13predefined query 36querying 11selecting for action 17setting number per page 13

removing the RA Desktop 23renewability 20, 30request attributes 39request ID 7, 8request profile 19, 31Results tab 36resume certificate 29, 37retrieval limit

options 36setting 13

revocation, reasons for 37


Index

Ssecure applications 3SecureWay 1server certificate 29servlet to support RA Desktop 31starting the RA Desktop 10status

current 33, 41values 41viewing 15

status area 42suspend, certificate 21suspend certificate 29suspending a certificate 37

Ttab help 42table

action history 15, 38attributes 15, 39paging through 14query results 13, 36resizing a column 16selecting records in 17sorting rows 17

table records, selecting 17tabs, RA Desktop

common features 42Details tab 14, 38help for 42moving between 16Query tab 11, 33Results tab 13, 36

Tell me about... topics 25type of certificate 40

Uuninstalling the RA Desktop 23URL

enrollment Web page 6registration domain 27

Vvalidity period 18, 31, 40

WWeb browser 6

preparation 5, 6scenario for preregistration 25supported 26URL 6

Web browser support 25, 26Web page, enrollment

accessing 6CA certificate for using 7, 29uses 25

XX.509v3 certificate extensions 29


Program Number: 5648-D09

Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.

SH09-4530-02

public key infrastructurepublib.boulder.ibm.com/tividd/td/pki/sh09-4530-02/... · several steps,...

Documents