Registration Authority Desktop Guidepublib.boulder.ibm.com/tividd/td/IBM_TA/SH09-4530-01/en... · 2002-11-09 · DCE Attributes, Netscape Navigator or Communicator, release 4.7 v

IBM®

SecureWay®

Trust Authority

Registration Authority Desktop GuideVersion 3 Release 1.2

SH09-4530-01

��

IBM®

SecureWay®

Trust Authority

Registration Authority Desktop GuideVersion 3 Release 1.2

SH09-4530-01

��

Note!Before using this information and the product it supports, read the general information under “Notices” on page 43.

Second Edition (June 2000)

This edition applies to IBM SecureWay Trust Authority, program 5648-D09, version 3 release 1 modification 2, andto all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright International Business Machines Corporation 1999, 2000. All rights reserved.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Chapter 1. About Trust Authority . . . . 1

Chapter 2. Overview . . . . . . . . . 3

Chapter 3. How do I...? . . . . . . . . 5Become a registrar . . . . . . . . . . . . 5

Enable a browser . . . . . . . . . . . . 5Access the enrollment Web page . . . . . . . 6Request a browser certificate . . . . . . . . 6Check on enrollment status . . . . . . . . 8Get authorization . . . . . . . . . . . . 8Install the RA Desktop . . . . . . . . . . 9Reconfigure the RA Desktop. . . . . . . . 10

Access the RA Desktop . . . . . . . . . . 10Work with queries . . . . . . . . . . . . 11

Submit a query . . . . . . . . . . . . 11Retrieve pending requests . . . . . . . . 11Retrieve expiring certificates . . . . . . . . 12Select a date from the calendar . . . . . . . 12Set a retrieval limit . . . . . . . . . . . 12Set the number of records per page . . . . . 12Get feedback during processing . . . . . . 13

Work with results . . . . . . . . . . . . 13View query results . . . . . . . . . . . 13View results on multiple pages . . . . . . . 14Display details of an item . . . . . . . . 14View item attributes . . . . . . . . . . 14View an action history. . . . . . . . . . 15Move between tabs . . . . . . . . . . . 15Resize a table column . . . . . . . . . . 16Sort table rows by a column . . . . . . . . 16Select records in a table . . . . . . . . . 16

Take action . . . . . . . . . . . . . . 16Act on multiple records . . . . . . . . . 16Act on an individual record . . . . . . . . 17Change an attribute value . . . . . . . . 17Change a validity period . . . . . . . . . 17Specify a request profile . . . . . . . . . 18Add a comment . . . . . . . . . . . . 18Approve a request . . . . . . . . . . . 19Keep a request in pending status . . . . . . 19Reject a request . . . . . . . . . . . . 19Change renewability . . . . . . . . . . 19Put a certificate on hold . . . . . . . . . 19Revoke a certificate . . . . . . . . . . . 20Remove a certificate from the CRL . . . . . 20Check permissions for the domain. . . . . . 21

Exit the RA Desktop . . . . . . . . . . . 21Uninstall the RA Desktop. . . . . . . . . . 21

Chapter 4. Tell me about... . . . . . . 23Enrollment . . . . . . . . . . . . . . 23

Preregistration . . . . . . . . . . . . 23Web browser support . . . . . . . . . . 23

Registration . . . . . . . . . . . . . . 24

Business policy . . . . . . . . . . . . 24Registration authorities . . . . . . . . . 24Registration databases . . . . . . . . . . 24Registration domains . . . . . . . . . . 24Registration records . . . . . . . . . . 25Record Attributes . . . . . . . . . . . 25

Certification . . . . . . . . . . . . . . 25Certificate authorities . . . . . . . . . . 25Certificate revocation lists . . . . . . . . 26Directories. . . . . . . . . . . . . . 26Distinguished names . . . . . . . . . . 26

Certificates . . . . . . . . . . . . . . 26Browser certificates . . . . . . . . . . . 26CA certificates . . . . . . . . . . . . 27Server or device certificates . . . . . . . . 27Certificate extensions . . . . . . . . . . 27Certificate life cycles . . . . . . . . . . 27Renewability . . . . . . . . . . . . . 27

Administration . . . . . . . . . . . . . 28Access control . . . . . . . . . . . . 28Authentication and authorization . . . . . . 28Concurrent administration . . . . . . . . 28RA Desktop support servlet . . . . . . . . 28Request profiles . . . . . . . . . . . . 28

Chapter 5. Reference . . . . . . . . 31Query tab . . . . . . . . . . . . . . . 31

Query fields . . . . . . . . . . . . . 31Predefined queries . . . . . . . . . . . 33Retrieval limit options . . . . . . . . . . 33Records per page options . . . . . . . . . 33

Results tab . . . . . . . . . . . . . . 33Administrative actions. . . . . . . . . . 34Reasons for revoking a certificate . . . . . . 35

Details tab . . . . . . . . . . . . . . . 35Action history events . . . . . . . . . . 36Attributes of requests and certificates . . . . . 36Certificate extensions . . . . . . . . . . 37Supplied certificate types . . . . . . . . . 37Detail groups . . . . . . . . . . . . . 38Status of enrollment requests . . . . . . . 39

Help for tabs . . . . . . . . . . . . . . 40JVM for Internet Explorer . . . . . . . . . 40Keyboard alternatives to the mouse . . . . . . 40Troubleshooting . . . . . . . . . . . . . 42

Notices . . . . . . . . . . . . . . 43Trademarks and service marks . . . . . . . . 44

Related information . . . . . . . . . 47

Glossary . . . . . . . . . . . . . . 49

Index . . . . . . . . . . . . . . . 61

© Copyright IBM Corp. 1999, 2000 iii

iv Trust Authority: RA Desktop Guide

Chapter 1. About Trust Authority

IBM®

SecureWay®

Trust Authority provides applications with the means toauthenticate users and ensure trusted communications:v It allows organizations to issue, publish, and administer digital certificates in

accordance with their registration and certification policies.v Support for Public Key Infrastructure for X.509 version 3 (PKIX) and Common

Data Security Architecture (CDSA) cryptographic standards allows for vendorinteroperability.

v Digital signing and secure protocols provide the means to authenticate all partiesin a transaction.

v Browser- and client-based registration capabilities provide maximum flexibility.v Encrypted communications and secure storage of registration information ensure

confidentiality.

A Trust Authority system can run on IBM® AIX/6000®

and Microsoft® WindowsNT® server platforms. It includes the following key features:v A trusted Certificate Authority (CA) manages the complete life cycle of digital

certification. To vouch for the authenticity of a certificate, the CA digitally signseach one it issues. It also signs certificate revocation lists (CRLs) to vouch for thefact that a certificate is no longer valid. To further protect its signing key, youcan use cryptographic hardware, such as the IBM SecureWay® 4758 PCICryptographic Coprocessor.

v A Registration Authority (RA) handles the administrative tasks behind userregistration. The RA ensures that only certificates that support your businessactivities are issued, and that they are issued only to authorized users. Theadministrative tasks can be handled through automated processes or humandecision-making.

v A Web-based enrollment interface makes it easy to obtain certificates forbrowsers, servers, and other purposes, such as virtual private network (VPN)devices, smart cards, and secure e-mail.

v A Windows® application, the Trust Authority Client, enables end users to obtainand manage certificates without using a Web browser.

v A Web-based administration interface, the RA Desktop, enables authorizedregistrars to approve or reject enrollment requests and administer certificatesafter they have been issued.

v An Audit subsystem computes a message authentication code (MAC) for eachaudit record. If audit data is altered or deleted after it has been written to theaudit database, the MAC enables you to detect the intrusion.

v Policy exits enable application developers to customize the registrationprocesses.

v Integrated support for a cryptographic engine. To authenticate communications,the core Trust Authority components are signed with a factory-generated privatekey. Security objects, such as keys and MACs, are encrypted and stored inprotected areas called KeyStores.

v Integrated support for IBM SecureWay Directory. The Directory storesinformation about valid and revoked certificates in an LDAP-compliant format.

© Copyright IBM Corp. 1999, 2000 1

v Integrated support for IBM WebSphere™

Application Server and IBM HTTPServer. The Web server works with the RA server to encrypt messages,authenticate requests, and transfer certificates to the intended recipient.

v Integrated support for the award-winning IBM DB2®

Universal Database.

2 Trust Authority: RA Desktop Guide

Chapter 2. Overview

When an organization has secure applications protected by Trust Authority, onlyusers with the proper credentials can access those applications. Someone whowants a credential, such as a digital certificate, can request it by providingappropriate information. Data in the enrollment request is the basis for the decisionto approve the request or reject it. If an enrollment request is approved, the TrustAuthority Registration Authority (RA) processes the request, and the TrustAuthority Certificate Authority (CA) issues the certificate. Records of enrollmentrequests and certificates reside in an encrypted registration database.

Evaluating enrollment requests and administering these records is anadministrative task. Sometimes your organization configures Trust Authority toautomate parts of these tasks, and a program evaluates the registration data. Othertimes an registrar like you makes all the judgments.

The Trust Authority Registration Authority Desktop (RA Desktop) is a graphicaluser interface (GUI) for handling enrollment requests and managing the resultingrecords. It supports your tasks as an registrar, such as:v Evaluating enrollment requests that are pending, to approve or reject themv Preparing queries to retrieve records of certificates of a particular type or that

belong to specific usersv Reviewing the details of a recordv Setting the validity period of a certificatev Taking action to change the status of a certificate or enrollment requestv Annotating a record to explain the reason for an action

The RA Desktop is a secure applet. To use it, you must have authority to dospecific tasks, and you must be authenticated by presenting the proper digitalcertificate.

Related topics:

“Become a registrar” on page 5“Access the RA Desktop” on page 10



Chapter 3. How do I...?

The topics in this section provide step-by-step directions for your tasks as anregistrar, such as:v Preparing your browser and installing the RA Desktopv Getting your browser certificate and authorization to be an registrarv Querying the registration database to work with requests and certificates

Become a registrarBefore you can access the RA Desktop to administer certificates and requests forcertificates, you must be enrolled as an authorized Trust Authority registrar. Thisprocess involves several steps, some of which must be handled by a systemadministrator.

This section describes preliminary tasks you need to complete before you can usethe RA Desktop:__ Step 1. One user, typically a system administrator, must follow the procedures

in the System Administration Guide to add the first registrar to thesystem.

__ Step 2. Set up your Web browser so that it can run the RA Desktop.__ Step 3. Access the Trust Authority enrollment Web page to obtain the

necessary certification.__ Step 4. Request a CA certificate, and then a browser certificate, for your Web

browser. Your organization should provide guidance about the type ofbrowser certificate you should select to install and the name of theregistration domain that you are being authorized to administer.

__ Step 5. Check on the enrollment status and confirm that the certificate wasinstalled.

__ Step 6. After the certificate has been issued, you must request authorization towork as a registrar. Communicate a request to the first authorizedregistrar, and provide this user with the request ID that was returnedto you after you submitted your request for a certificate.

__ Step 7. The first registrar must follow the procedures in the SystemAdministration Guide to authorize you as a new registrar.

__ Step 8. After receiving confirmation that you have been enrolled as a registrar,install the RA Desktop.If you later need to change the default browser you set duringinstallation, or if you need to change the RA Server’s URL, you canreconfigure the RA Desktop.

Enable a browserBefore enabling a browser, make sure that your machine meets the followingrequirements for running the RA Desktop:v An Intel Pentium® processor with at least 64 MB of RAM, or better.v A computer display that supports VGA resolution, or better.v The Microsoft Windows 95, 98, or NT operating system.


To enable a Web browser for the RA Desktop:1. Install one of the supported Web browsers:

v Netscape Navigator or Communicator, release 4.51 or later and AIX® on withDCE Attributes, Netscape Navigator or Communicator, release 4.7

v Microsoft Internet Explorer, release 5.0.With Internet Explorer, you must have Java Virtual Machine (JVM), release5.00, build 3167 or later. “JVM for Internet Explorer” on page 40 describeshow to determine which release of JVM you are running, and how toupgrade if necessary.

Note: You must install the official version of the product, distributed byNetscape or Microsoft. Versions from third-party vendors may notdisplay information correctly, especially when you run the applet in alanguage other than English.

2. Alter your Web browser:v In Netscape, open the Preferences menu to enable Java.v In Internet Explorer, open the Options menu to enable Java.

Note: The latest information about RA Desktop applet requirements is available inthe Readme file. The Readme file is available at the IBM SecureWay TrustAuthority Web site:http://www.tivoli.com/support

Access the enrollment Web pageTo access the Web page for enrollment:1. Get your organization’s URL for accessing the enrollment Web page. The URL

will have the following format:http://MyWebServer:port/MyDomain/index.jsp

where MyWebServer:port is the host name and port of the server on which theTrust Authority Registration Authority is installed. MyDomain is the configuredname of the registration domain on this Trust Authority system. For example:http://MyWebServer:80/MyDomain/index.jsp

2. Open the browser you enabled for the RA Desktop.3. Enter the URL:

v In Netscape, type the URL in the text box at Location.v In Internet Explorer, type the URL in the text box at Address.

4. Press the Enter key.The Trust Authority enrollment Web page is displayed. For a defaultinstallation, the name of this page is Credential Central.

5. If you are using the Trust Authority enrollment services for the first time, clickinstall our server’s CA certificate.This certificate enables your browser to authenticate communications from theenrollment services. The next time you use these services, you can omit thisstep.

Request a browser certificateThis section describes how to use the Trust Authority enrollment page to request abrowser certificate so you can run the RA Desktop.


||

|

||||

http://www.tivoli.com/support


Note: As a registrar, you might also need to enroll servers or devices, orpreregister someone. For help with those tasks, refer to the Trust AuthorityUser’s Guide.

Depending on how the registration facility was customized for your organization,the procedures for getting a valid certificate may vary. The following discussionoutlines basic steps. Contact your system administrator for procedures appropriatefor your site.

To obtain your browser certificate:1. Access the enrollment Web page from your browser.2. In the Certificate Enrollment area:

a. Select Enrollment Type → Browser certificate.b. Select Action → Enroll.c. Click OK. The enrollment form you requested is displayed.

3. Follow the instructions on the Web page to complete the fields. There are twosections:v A Registration Information section with text boxes where you supply

information about yourself.v A Certificate Request Information section with text boxes where you supply

information about the certificate you want. If you do not supply values inthe section’s optional fields, Trust Authority supplies defaults that areassociated with the type of certificate you are requesting.

Pay particular attention to the following fields:

Type of CertificateSelect the kind of browser certificate that your organization wants youto present to access the RA Desktop. “Supplied certificate types” onpage 37 describes the certificate types.

Install CA certificate to BrowserClick to get a corresponding CA certificate that is compatible for thecertificate type. If you click this button, the CA certificate isdownloaded immediately.

This certificate enables your browser to authenticate communicationsfrom the registration facility when you use the RA Desktop. If for somereason you already have the same CA certificate, you do not needanother one.

E-mail AddressTo select E-mail Notification, you must supply your e-mail address.

E-mail NotificationSelect this to receive e-mail about the outcome of your request.

Note: If the RA server is installed on a Windows NT platform in yourorganization, the registration facility’s configuration file(raconfig.cfg) may need to be updated to point to an SMTP hostto enable this feature. For details, see the Trust AuthorityCustomization Guide.

Challenge ResponseBe sure to remember the case-sensitive Challenge Response yousupply. You will need to know it later to check the status of theenrollment request.

Chapter 3. How do I...? 7

/iauu.htm

/iauu.htm

Domain NameOptionally, type the host name of the machine where the certificate willbe installed (your machine’s host name). Typically, you can omit thisfield unless you have been instructed to use it.

If you need further help with the fields, consult the Reference section of theTrust Authority User’s Guide.

4. Click Submit Enrollment Request.After Trust Authority receives the enrollment form, it validates the information:v If the form contains errors, it shows you the errors. Make the changes and

click Resubmit Enrollment Request.v If the form contains no errors, another Web page displays your request ID.

5. Make sure to keep your request ID. It identifies you later so that you can checkon the status of the request and receive your certificate when it is ready. Doone of the following, as described on the Web page:v Bookmark the Web page so that you can return to this display and check on

your certificate. This is the easiest way to return to check your status.v Record the request ID so that you can supply it when you return. As a

safeguard, you may want to record the request ID regardless of whether youcreated a bookmark for the status page.

v If you specified that you wanted to receive an e-mail notification on theenrollment field, you can wait for the request ID to come by e-mail.

Check on enrollment statusTo check the status of your enrollment request, either return to the Web page youbookmarked during enrollment, or complete the following steps:1. Access the enrollment Web page.2. At Enrollment Type, select the type of enrollment you requested.3. At Action, select Check Status.4. Click OK.

The display contains fields where you must authenticate your identity beforeyou can get any information about your request.

5. Supply information in the fields:v At Request ID, type the request ID you were shown after you submitted the

enrollment form.v At Challenge Response, type the same Challenge Response you supplied on

the enrollment form.6. Click Check Enrollment Status.

A message indicates the current status of your request.v If your request is still pending, you can return later and check again.v If your browser certificate has been issued, it was downloaded when you

clicked Check Enrollment Status.7. View your certificate if desired, following the instructions on the Web page.

Get authorizationBefore asking your system administrator to authorize you for the RA Desktop,complete the following tasks:v Request a browser certificate and specify the registration domain you will

administer.


/iauu.htm

v Download to your Web browser the browser certificate and its compatible CAcertificate.

Install the RA DesktopInstalling the RA Desktop is a two-part process. When installing the serversoftware, a system administrator must select Registration Authority Desktop toinstall the installation image for the applet. The administrator must then distributethe image or make it available on your network so that you can run theinstallation program from your workstation.

Note: If you install the RA Desktop applet on the same machine from which theSetup Wizard was previously run, the Setup Wizard cannot be run again. Ifyou are using Trust Authority in a test environment, you may want to installthe Setup Wizard and RA Desktop on separate machines so that you will beable to repeat the configuration process until you are ready to put thesystem into production mode.

Use the following procedure to run the RA Desktop installation program,RADInst.exe.1. Make sure your workstation meets the requirements listed in “Enable a

browser” on page 5.2. From your system administrator, get the URL for the registration domain that

you will be administering.3. Follow your organization’s instructions to copy, access, or download the RA

Desktop installation image.4. Shut down all active programs.5. Select Start → Run, click Browse to locate the RADInst.exe file, and click OK

to run the program.6. Review the information on the Welcome window, and click Next.7. On the Choose Destination Location window, click Next if you want to install

the software in the default location (c:\Program Files\IBM\TrustAuthority\RA Desktop). Otherwise, click Browse to select or type a differentdestination folder, and then click Next.

8. On the Choose Browser window, select the browser that you want to use asyour default browser for accessing the RA Desktop.

Note: You see this window only if you have both Microsoft and Netscapebrowsers installed and they are both at the required release level.

9. On the Choose Host window, type the URL for server where the RegistrationAuthority is installed. You must type it in the following format, wherehostname:port is the virtual host name and secure port number on the serverwhere the Registration Authority was installed, and RegistrationDomainNameis the name that was configured for your organization’s registration domain:https://hostname:port/RegistrationDomainName

For example: https://MyRAserver:1443/MyDomain10. On the Select Program Folder window, click Next if you want to use the

default program folder (IBM SecureWay Trust Authority). Otherwise, type orselect the name of the folder you want to use, and then click Next.

11. On the Start Copying Files window, review the settings you specified for thisinstallation of the RA Desktop. If you are satisfied with your choices, clickNext. The program copies files to the requested location.


12. On the Setup Complete window:v Click the check box to view the README if you want to review the Trust

Authority product Readme file. After you click Finish, the Readme file will bedisplayed in your selected browser.

v Click Finish to complete the installation process.

After the installation is complete, RA Desktop and RA Desktop Configuration arein your Start menu under Programs → IBM SecureWay Trust Authority.

Reconfigure the RA DesktopAfter you install the RA Desktop, you can change the default browser that youwant to use when accessing the applet and change the URL for the RA server thathosts the applet. Use the following procedure to make these changes.1. Select Start → Programs → IBM SecureWay Trust Authority → RA Desktop

Configuration.2. On the Choose Browser window, select the browser that you want to use when

accessing the RA Desktop.3. On the Choose Host window, type the URL for the RA server that hosts the RA

Desktop. You must specify the secure host name, the port number, and thename of the registration domain you need to administer (the domain namecannot contain spaces). For example:https://NewRAServer:1443/NewDomainName

4. On the Select Program Folder window, click Next without making any changes.5. On the Start Copying Files window, review your changes and then click Next.6. On the Setup complete window, click Finish to complete the reconfiguration

process.

Access the RA DesktopEach time you want to start the RA Desktop, you must first do the following:1. If your registrar certificate is in your Netscape browser, close any Netscape

sessions you are running.2. On your Windows taskbar, select Start → Programs → IBM SecureWay Trust

Authority → RA Desktop.When you request the URL of the RA Desktop, your Web browser and theserver agree to initiate a secure (client-authenticated) session. Before the servercan return the content of that URL, you must be authenticated as a validregistrar. The browser should prompt you to present a certificate. The promptvaries with the browser you use.

3. Present your registrar certificate.

Note: If you use Internet Explorer, the browser automatically submits the lastcertificate you presented to the server during your browser session. Itdoes not prompt you for acknowledgment. To present a differentcertificate, you must exit and restart the browser.

The Web browser downloads and initializes the RA Desktop applet:v During downloading of the applet, you might see several messages at the

bottom of the browser’s display. For example, you might see a message toindicate that the browser is initializing Java.


v During initialization, you see a progress bar that indicates how near theprocess is to completion. If an error occurs during initialization, the progressbar stops, and you see a generic warning message.

After initialization is complete, you see the RA Desktop. It is ready to use. You canstart administering registration requests and certificates for the registration domainthat is associated with your certificate.

Note: If you access the RA Desktop from Netscape and some time passes withoutactivity on the RA Desktop, Netscape prompts you for your certificate again.This additional security protects your organization in case an emergencycalls you away from your desk before you have exited the RA Desktop.

Work with queriesSelect the Query tab to prepare a query. You can make your query very specific, oryou can retrieve a group of records with common characteristics. You can also limitthe number of records to retrieve and specify how many to display on a pagewhen you view them.

Submit a queryOn the Query tab, prepare a query to retrieve enrollment requests and certificaterecords you want to work with. You can base your query on either the currentstatus of a request or certificate or on its renewal and expiration characteristics.Within these two categories, you can further refine your query by using the otheravailable fields.1. Use the fields on the tab to prepare your query. You can refine your query by

combining as many of the available fields as desired. “Query fields” on page 31describes the fields.v As you move your cursor over a field, the bottom of the tab displays help

for that field.v You can run the query without specifying any values of your own. This will

retrieve records of all the requests that are pending, regardless of their othercharacteristics.

2. Change the limit on the number of records to retrieve, if desired.3. Change the number of records to display on a page when you view the results

on the Results tab, if desired.4. When you have prepared your query, click Submit Query.

While you are waiting for your query results, a progress bar shows theprogress of query processing. When the results of your query are ready, theResults tab is automatically displayed.

5. On the Results tab, find the records you want to work with.

Related topics:

“Retrieve pending requests”“Retrieve expiring certificates” on page 12“Predefined queries” on page 33

Retrieve pending requestsOn the Query tab, do either of the following:v Run a query without specifying any values of your own. This is the same as

specifying a Pending status.


v Without changing the selection at Query type, specify additional characteristicsfor the records to retrieve, if desired. For example, suppose that your managerasks that you handle someone’s registration request before you handle otherpending requests. You could specify the person’s name in your query.

Retrieve expiring certificatesOn the Query tab, prepare a query to retrieve records of renewable certificates thatare due to expire within a specific period:1. At Query type, select By renewability and expiration.2. Open the list at Renewability and click Renewable.3. Refine your query to retrieve only the records of certificates that will expire

during a specific period. At Range of expiration dates:v Type or select the earliest expiration date at From.v Type or select the latest expiration date at To.

Related topics:

“Change a validity period” on page 17

Select a date from the calendarTo select a date from the calendar instead of typing it in a date field:1. Click the small calendar icon next to the field’s text box.

The calendar opens, displaying the current month or the month of the date inthe field.

2. To select a different year, click the year on the calendar. This displays a listfrom which you can select a year.

3. To select a month, click one of the arrowheads next to the name of the currentmonth. The left arrowhead displays earlier months, and the right arrowheaddisplays later months.

4. To select a day, click the day of the month you want.The calendar closes, displaying the selected date in the field.

Set a retrieval limitOn the Query tab, you can limit the number of records that are retrieved, even ifmore than that number match your query. The limit you set is only for the queryyou are preparing.1. At Retrieval limit, open the list and select a limit. The default is 150.

This limit affects the size of your query results.2. Specify the rest of your query.

Set the number of records per pageOn the Query tab, you can limit the number of records that are displayed on apage of the Results tab. The limit you set is only for the query you are preparing.1. At Records per page, do one of the following:

v Open the list and select a limit.v Type a number over the displayed default.

This value controls the display of your query.2. Specify the rest of your query.


Get feedback during processingAfter you click a command button on any tab, the status area at the bottom of thepanel shows the progress of the processing you requested.

Work with resultsSelect the Results tab to display the results of your query.

The tab can display more than one of the records you retrieved. The number ofrecords per page depends on the value you selected when you submitted thequery.

View query resultsOn the Results tab, you can view the results after you run a query.

Each row in the table at Query results contains a record that matches your query.The table contains the following columns:

Name The name associated with a request or certificate, displayed in thefollowing format: lastname, firstname

Request statusThe current status of the enrollment request, such as Approved. “Status ofenrollment requests” on page 39 describes each status value.

Fulfillment statusThe current status of processing for the request, such as Delivered.

Last updateThe date associated with the status of the request or certificate.

Date receivedThe date the enrollment request was received.

To view your query results:1. Find the records you need. You can do any of the following if it helps you to

find the needed records:v Scroll the table, resize columns, or sort the rows of the table.v Move from page to page to view more of the results.

2. When you find the records you want to work with, you can do the following, ifdesired:v Select one or more records and act on them as a group.v Select a single record to view more detail.

Note: If you did not retrieve the record you need, return to the Query tab:v If your query is incorrect, make changes and then run it again.v If your query is correct, set the retrieval limit to retrieve a larger number

of records, and run your query again.

Related topics:

“Set the number of records per page” on page 12


View results on multiple pagesOn the Results tab, the results of your query might occupy multiple pages. Thenumber of pages depends on the number of records that match your query and thepage size you specified for displaying them. The status area tells you how manypages there are and which page you are viewing.v Click Next Page to move to the next page of the group.v Click Previous Page to move to the previous page of the group.v To go back more than a few pages, it may be faster to return to the Query tab

and resubmit the query. Then the Results tab displays the first page of yourquery results again.

Display details of an itemOn the Results tab:1. In the query results table, select the row for a record in your query results.2. Click Show Details.

The Details tab is displayed automatically, to show the details of the recordyou chose.

3. On the Details tab at Display, select the type of detail you want to see.

Note: You can also display details of a record by double-clicking it on the Resultstab, or by selecting it and then selecting the Details tab.

Related topics:

“Act on an individual record” on page 17

View item attributesOn the Results tab:1. Select a record from the table of query results.2. Click Show Details to display the record in more detail on the Details tab.3. On the Details tab, at Display, select the type of attributes you want to see.

“Detail groups” on page 38 describes how the attributes are grouped. Thedefault is Basic Attributes.

4. Look at the table.Each row in the table lists an attribute of the request or certificate. “Attributesof requests and certificates” on page 36 describes the request attributes. Thetable contains the following columns:

Attribute nameThe name of the attribute.

Attribute valueThe value of the attribute. The value may change during the life cycleof a request or certificate.

5. Scroll the table, resize columns, or sort the rows of the table if it helps you withyour task.

Related topics:

“Change an attribute value” on page 17


View an action historyOn the Results tab:1. Select a record from the table of query results.2. Click Show Details to display the record in more detail on the Details tab.3. On the Details tab, at Display, select Action History.4. Look at the table. It includes details of every event in the life cycle of the item.

Each row in the action history describes an action that was taken on the item.Information includes the date when it happened, the responsible party, and anyassociated comments. The table has the following columns:

Date The date of the action that is shown in the same row.

By The distinguished name of the registrar who took the action, or the RAprogram that did so.

Request StatusStatus of the enrollment request, such as Approved. “Status ofenrollment requests” on page 39 describes each status value.

Fulfillment StatusStatus of processing for the request, such as Delivered.

CommentThe comment that is provided by the registrar at the time of the action.

5. Scroll the table, resize columns, or sort the rows of the table if it helps you withyour task.

Related topics:

“Action history events” on page 36

Move between tabsSometimes you move from one tab to another automatically. For example:v When you run a query from the Query tab, you move to the Results tab when

the query results arrive on the RA Desktop.v When you request details for a record, you move to the Details tab.v When you complete an action from the Details tab, you move back to your

query results on the Results tab.

To move between tabs at other times, simply click the tab you want to display.When you do, you can expect the following:v If you return to the Query tab after viewing your query results, your query is

still displayed.v If you request details for the wrong item, you can return to your query results

on the Results tab. There, you can select a different record to display in detail.Your query results remain on the Results tab until you run another query.

v Whenever you move to the Details tab after selecting one record on the Resultstab, the Details tab shows that record. The tab contains no information if youhave not selected a record on the Results tab, or if you select more than onerecord. After you submit an action on the Details tab, the information is clearedfrom that tab.

Note: When you begin a session, the RA Desktop fields display only defaultvalues.


Resize a table columnTo resize a table column:1. Place the cursor on the boundary of a column you want to resize.2. Click the mouse and drag it left or right to change the column width.3. Release the mouse button at the desired width.

Sort table rows by a columnTo sort the rows on the basis of a column:v Click the column heading.v To sort in the opposite order, click again.

Select records in a tableYou can select one or more records:v To select a single record, click its row.v To select several adjacent records, click the first record, then hold down the Shift

key while you click the last record.v To select several records that are not adjacent, hold down the Ctrl key while you

click each one.v To deselect a record, click it again.

Take actionYou can act on an enrollment request or update the record of a certificate. Both theResults tab and the Details tab contain fields where you can choose the action.Actions you can take depend on your own permissions in the registration domainwhere you are a registrar.

Act on multiple recordsOn the Results tab, each row in the table is a record in your query results. You cantake action on one or more of the records in the table, or you can look at onerecord in greater detail before you act.v To act while viewing multiple records:

1. Select one or more records.2. At Set the validity period, specify a validity period for the certificate to be

in effect, if desired.3. At Select the request profile, specify a different request profile, if desired,

for a request you are approving. “Supplied certificate types” on page 37describes the features of the certificate that is associated with each requestprofile.

4. Open the list at Take action on the selected items and select an action. Yourpermissions for working with records are the only actions available to you.

5. If you select Revoke as your action, you must select a reason for doing so.At Reason for choosing Revoke, open the list and select a reason. “Reasonsfor revoking a certificate” on page 35 describes the meaning of each reason.

6. At Comment on your action, type a comment to document your action, ifdesired.

7. Click Submit Action to submit the action for the selected records.v To see more details of a record before acting:

1. Select the row that contains the record.


2. Click the Show Details button.

Related topics:

“Resize a table column” on page 16“Sort table rows by a column” on page 16

Act on an individual recordOn the Details tab, you can make other changes to the displayed record before youspecify an action:1. At Display, select the type of detail you want to see.

If you display the processing attributes of an item, you can change some of thevalues in the table.

2. Change some attribute values as necessary. “Attributes of requests andcertificates” on page 36 describes some of the attributes.

3. At Set the validity period, specify a validity period for the certificate to be ineffect, if desired.

4. At Select the request profile, specify a different request profile for a requestyou are approving, if desired. “Supplied certificate types” on page 37 describesthe features of the certificate that is associated with each request profile.

5. Open the list at Take action on the displayed item and select an action. Yourpermissions for working with records are the only actions available to you.

Note: If your action is Revoke, you must also select the reason for therevocation. “Reasons for revoking a certificate” on page 35 describes thevalid reasons.

6. At Comment on your action, type a comment to document your action, ifdesired.

7. Click Submit Action to submit the action.

Related topics:

“Resize a table column” on page 16“Sort table rows by a column” on page 16

Change an attribute valueOn the Details tab, when you approve an enrollment request or act on a fulfilledrequest, you can change the values of some attributes:1. At Display, select Business process variables.2. Scroll to the attribute you want to update.

The values you can update have either a text box for typing a new value or alist box for selecting a different value. “Attributes of requests and certificates”on page 36 describes some of the attributes.

3. Type or select the value you want.

Note: Values in the request profile may override values you set.

Change a validity periodOn the Results or Details tab, you can change the validity period for the certificatewhen you approve an enrollment request or act on a fulfilled request. At Set the


validity period, specify a range of dates. To supply a date, click the calendar toopen it and then click the date you want. If you type the date, use the same formatthe calendar uses to fill the text box.v At Begin date, specify the date the certificate will become valid.v At End date, specify the date the certificate will expire.

The validity period you specify is passed to the RA when you submit the action.

Usage Guidelines:

You can modify a certificate validity period to a period within the limits of thedefined request profile. For example, if a user requests a certificate with a 1–yearvalidity period, you can shorten the period to less than one year. If you need toextend the validity period beyond the limits of the profile, however, you must takeone of the following actions:v Reject the certificate, and ask the user to submit a request that specifies a longer

validity period, such as a 2–year certificate.v Modify the request profile and submit the change. You must select the Keep

Pending action until all changes have been made.For example, if you want to change a certificate from a 1–year certificate type toa 2–year certificate type, but limit the certificate validity period to 18 months,take the following steps:1. Select the certificate request, and change the certificate type to a 2–year

certificate.2. Select Keep Pending, and then click Submit Action.3. Select the certificate request again, and change the start and end dates as

necessary to limit the validity period to 18 months.4. Select Approve, and then click Submit Action.

Specify a request profileOn the Results or Details tab, you can specify a different request profile to use increating the certificate when you approve an enrollment request.

At Select the request profile, select one of the following:v Select a request profile from the list. Profiles on the list are the ones you are

permitted to specify. “Supplied certificate types” on page 37 describes thecertificate that is associated with each request profile.

v Select Use the current profile. This is the default. It enables you to proceed evenif the current profile is not one that you are permitted to specify.

The profile you specify is used to process the request and create the certificate afteryou submit the action.

Add a commentOn the Results or Details tab, you can add comments to explain the action you aretaking:1. At Take action, select an action.2. At Comment on your action, type your comment in the text box. You can use

up to 512 characters.3. Click Submit Action to include the comment as you update the record.

Your comment is added to the record when you submit your action.


Approve a requestYou can approve a request on either the Results tab or the Details tab.v If you use the Results tab, you can select more than one record to approve.v If you use the Details tab, you can alter the values of some attributes before

approving the displayed request.

From either tab:1. At Take action, click Approve.2. Click Submit Action.

Keep a request in pending statusYou can keep a request pending on either the Results tab or the Details tab. If youuse the Results tab, you can select more than one record to keep pending.

From either tab:1. At Take action, click Keep Pending.2. Click Submit Action.

Reject a requestYou can reject a request on either the Results tab or the Details tab. If you use theResults tab, you can select more than one record for rejection.

From either tab:1. At Take action, click Reject.2. Click Submit Action.

Change renewabilityYou can change the renewability of a certificate on either the Results tab or theDetails tab. You can make a renewable certificate non-renewable, or vice versa. Ifyou use the Results tab, you can select more than one record and then change therenewability status for the group.

From either tab:1. At Take action, click one of the following:

v Make request renewable

v Make request non-renewable

2. Click Submit Action.

Put a certificate on holdYou can put a certificate on hold temporarily, on either the Results tab or theDetails tab. If you use the Results tab, you can select more than one certificate toput on hold.

From either tab:1. At Take action, click Revoke.2. At Reason, select Put on Hold.

Note: You can reverse the action later, unless the certificate expires during thetime it is on the CRL.



After you take this action, the Processing attributes for the record are updated. TheRevocation Reason attribute is set to the value Put on Hold.

Related topics:

“Remove a certificate from the CRL”

Revoke a certificateYou can revoke a certificate on either the Results tab or the Details tab. If you usethe Results tab, you can select more than one certificate for revocation.

Before you revoke a certificate, you must use the Details tab to review thecertificate’s validity period. You must verify that the certificate is currently validbefore you submit the revocation request.

To revoke a certificate from either tab:1. At Take action, click Revoke.2. At Reason, select a reason.

Note: If you select the reason Put on hold, you can reverse the action later,unless the certificate has expired.


After you take this action, the Processing attributes for the record are updated. TheRevocation Reason attribute is set to the value you specified.

Related topics:

“Put a certificate on hold” on page 19“Remove a certificate from the CRL”

Remove a certificate from the CRLYou might want to remove a certificate from the CRL for either of the followingreasons:v To rid the CRL of certificates that are no longer valid.v To reactivate a certificate you previously revoked with the reason Put on Hold.

Note: If the certificate has expired in the interim, you cannot reactivate it.

You can remove a certificate from the CRL on either the Results tab or the Detailstab. If you use the Results tab, you can select more than one certificate to removefrom the CRL.

From either tab:1. At Take action, click Revoke.2. At Reason, select Remove from CRL.3. Click Submit Action.

After you take this action, the Processing attributes for the record are updated. TheRevocation Reason attribute is set to the value Remove from CRL.

Related topics:

“Put a certificate on hold” on page 19


Check permissions for the domainOn either the Results tab or the Details tab:1. Click Take action.2. View the list of actions.

These are your capabilities for working with records of certificates and enrollmentrequests for the registration domain. If you have authority only to view therecords, the only value on the list is No action is available.

Exit the RA DesktopTo exit the RA Desktop from any of its tabs, do either of the following:v Click Exit.

You are returned to the Web page where you accessed the RA Desktop, unlessyour organization has set another path for you.

v Close the desktop as you would close other browser windows, by clicking oneof the small icons on the title bar. This closes your browser.

Uninstall the RA DesktopUse the following procedure if you need to remove the RA Desktop applet fromyour workstation.1. Select Start → Settings → Control Panel.2. Double-click Add/Remove Programs.3. Select the IBM SecureWay Trust Authority RA Desktop program folder, and

click Add/Remove.4. When prompted to confirm that you want to delete the program, click Yes.5. If you see a message about certain folders not being deleted, click Details. You

must manually delete any folders listed in the Details window to completelyremove the RA Desktop from your system.



Chapter 4. Tell me about...

The topics in this section define or describe concepts that are related toregistration, certification, and administration in an RA Desktop setting.

EnrollmentEnrollment is applying for a certificate. Trust Authority offers more than onemethod of enrollment, and your organization’s policies dictate which methods areavailable. Users might do either of the following:v Complete and submit a Trust Authority enrollment form through their Web

browsers. In default Trust Authority installations, the enrollment forms are at aWeb page called Credential Central. Your site might call this page by anothername.

v Preregister more informally and then supply preregistration values to TrustAuthority through a Trust Authority Client application installed on theirworkstation.

As a Registration Authority (RA) registrar, you must enroll for a certificate toaccess the RA Desktop. Later, you might use the enrollment Web page topreregister other users.

Data from enrollment forms goes into database records that you can view from theRA Desktop.

PreregistrationTrust Authority enables a program or an administrator to preregister prospectiveusers.

If you preregister other people for certificates, here is the scenario for doing so:v You need to get information about the person you want to preregister. You

might get it from the person or use organization records, such as informationfrom a database.

v You access the enrollment page from your Web browser. There is an enrollmentform especially for preregistering someone.

v You complete the form, supplying information that describes the person and thetype of certificate they want. Then you submit the form.

v You check on the status of the request.When the preregistration request is approved, you receive a transaction ID,password, and the URL of the RA that approved the request.

v You give this information—by telephone, e-mail, or in person—to the personyou preregistered. Optionally, for their convenience, you can give them apreregistration file that contains other request information. The person uses whatyou send when they are ready to request their certificate.

For guidance during preregistration tasks, refer to the Trust Authority User’s Guide.

Web browser supportTrust Authority enables you to create an enrollment request by completing andsubmitting an enrollment form through either of the following Web browsers:


/iauu.htm

v Microsoft Internet Explorer, release 5.0.v Netscape Navigator or Communicator, version 4.0.5 or later.

To access the RA Desktop you can use one of the following browsers:v Microsoft Internet Explorer, release 5.0v Netscape Navigator or Communicator, version 4.5.1 or later or version 4.7 on

AIX with DCE attributes.

RegistrationRegistration is the process of granting a digital certificate to a person or otherentity. In Trust Authority, preliminary to registration, either a program or aregistrar evaluates the information that was provided with the enrollment request.Then, whether or not the request is granted, the Trust Authority RA creates arecord for the request in the registration database. If the decision is to grant thecertificate, the Trust Authority Certificate Authority (CA) issues the certificate.

Business policyWhen a program supplements your work as a registrar, it applies the businesspolicies of your organization to some of the enrollment information. The type ofinformation it can evaluate is less complex than the kind you evaluate. Values tendto be precise, such as the minimum number of years in a residence. TrustAuthority enables your organization to provide policy information to such aprogram. The program uses that information in its evaluations.

Registration authoritiesIn Trust Authority, the RA is a server application. It is responsible for some of theadministrative tasks necessary to the registration of users, including:v Confirming a user’s identityv Verifying that a requester is entitled to a certificate with the requested attributes

and permissionsv Approving or rejecting requests to create or revoke certificatesv Verifying that someone who attempts to access a secure application has the

private key associated with the public key within a certificate

Using the RA Desktop, you initiate or direct some actions of the Trust AuthorityRA.

Registration databasesA Trust Authority registration database stores registration records. The registrationdatabase is a relational database, created with IBM DB2

®

Universal Database. TrustAuthority encrypts the records. However, through the RA Desktop an authorizedregistrar can read most of the registration information.

Registration domainsEach Trust Authority system has a single registration domain. This domain definesthe business policies, certificate policies, and resources that are associated withregistration and certification at your organization. Users who want to access aresource must be registered in the domain for that resource.

When the RA server software is installed, it contains the framework that allows anorganization to set up a registration facility. It can use any of the languages or


policies that the RA supports. The domain name, language, and installation pathform the URL for accessing your organization’s registration pages.

For example, if your public Web server is named MyPublicWebServer, and yourdomain name is MyDomain, you would use the following URL to access theregistration facility:http://MyPublicWebServer/MyDomain/index.jsp

A Trust Authority system includes a default Java Server Page (index.jsp). Thatpage is displayed at the URL for the registration domain. It provides enrollmentservices:v Prospective users go to that Web page to request a certificate, and to renew or

revoke their own browser certificates.v To support these users, you must go to that Web page and get your own

certificate for accessing the RA Desktop. Then you can use it to preregister otherusers.

You access the RA Desktop to work with the registration requests and certificatesthat are associated with a registration domain.

Registration recordsEach request for a certificate is an enrollment form that is submitted to the TrustAuthority RA. Each enrollment request results in a registration database record.Updates to this record reflect every action on the request, even a rejection of therequest. If a certificate is created, the same record reflects any events that arerelated to that certificate. Thus the registration record contains all the events in thelife cycle of the request and the associated certificate.

Record AttributesThe attributes of a record in the registration database are variables that describethe enrollment request. For fulfilled requests, variables also describe the certificatethat was granted. Other attributes are processing variables that help yourorganization enforce its business policies. Some attributes and their values arevisible to registrars through the RA Desktop.

CertificationCertification is the creation of a digital certificate for an entity or person. For TrustAuthority, certification occurs only after evaluation and approval of an enrollmentrequest. As the result of registration, the Certificate Authority (CA) issues thecertificates. For Trust Authority, the type of certificate that is issued is consistentwith the business policies of your organization.

Certificate authoritiesIn Trust Authority, the CA is a server program responsible for issuing digitalcertificates in accordance with the policies of your organization.

Trust Authority supports cross-certification, in which CAs that trust each otheragree to accept each other’s certificates as proof of authenticity. Trust Authorityalso supports a CA hierarchy. CAs trust the CAs that are above them in thehierarchy and accept the certificates of those CAs as proof of authenticity.

Chapter 4. Tell me about... 25

Certificate revocation listsThe Trust Authority RA publishes a certificate revocation list (CRL) at regularintervals. The CRL lists the certificates that are no longer valid, so that holderswho present them are not authenticated.

Any CA, RA, or application can access this list to determine whether a certificatehas been revoked. This is one way that the Trust Authority RA provides securitywhen users try to access the secure applications of your organization.

DirectoriesThe Directory that Trust Authority uses for storing certificates is the IBMSecureWay Directory. This Directory may be one that your organization set upspecifically for use with Trust Authority. Alternatively, it may be one that you haveinstalled previously and use with other applications.

The protocol that Trust Authority uses for accessing the Directory is theLightweight Direct Access Protocol (LDAP).

Distinguished namesThe distinguished name (DN) is an element of the Directory entry for a digitalcertificate. It uniquely identifies the position of the entry in the hierarchicalstructure of the Directory.

CertificatesA certificate is a digital credential, signed by a CA that vouches for the identity ofthe certificate holder. The holder can use the certificate as authentication whencommunicating with others or when requesting access to a secure application. InTrust Authority, even servers, applications, and devices such as printers and smartcards must have certificates, to authenticate them to users and to each other.

Trust Authority supports X.509v3 certificates in the following categories:v Browser certificatesv Server certificatesv Device certificatesv Certificates for accessing PKIX-compliant applicationsv Cross-certificates for CAs

Trust Authority also supports the following protocols:v SSLv S/MIMEv IPSecv PKIX CMP

A default Trust Authority installation provides a variety of certificate types that arebased on these categories and protocols. Enrollees can request certificates that meettheir needs. “Supplied certificate types” on page 37 describes the certificate types.

Browser certificatesA browser certificate is a digital credential that is typically stored in an encryptedfile by your Web browser. Some applications permit you to store the keys on asmart card or other media. In a Trust Authority system, you can request a browsercertificate directly through your Web browser. Later, if necessary, you can return tothe enrollment Web page to renew or revoke that certificate.


CA certificatesEvery browser, server, device, or application that has a certificate to present toTrust Authority servers must also have a compatible CA certificate. This certificateis needed for authenticating communications from servers that hold certificatesissued by the Trust Authority CA.

You must have a Trust Authority CA certificate in your browser to use the secureTrust Authority enrollment services. You can get this the first time you visit theTrust Authority enrollment Web pages. After that, whenever you request acertificate from the enrollment services, you can download a corresponding CAcertificate that is compatible with it.

For example, if you request a 2–year SSL browser certificate, you can receive a CAcertificate that is compatible with that certificate.

Note: Early releases of Netscape could accept a site certificate presented by a TrustAuthority server. That certificate was acceptable for bothserver-authenticated and client-authenticated communications with thatserver. However, the latest release of Netscape requires a CA certificate forclient-authenticated sessions.

Server or device certificatesIf it is part of your job, you can request a certificate for a server or a device. Usethe enrollment form that is provided through your Web browser.

The server or device for which you are requesting a certificate must use the PKCS#10 request format.

Certificate extensionsCertificate extensions are optional elements in the format of an X.509v3 certificate.Extensions make it possible to incorporate additional fields into the certificate.Trust Authority provides a group of certificate extensions to enable yourorganization to customize the certificates it issues. These additional fields areknown as business process variables.

When you view a record on the RA Desktop, you can see these fields when youdisplay processing attributes. In some cases, you may be able to update theirvalues.

Certificate life cyclesWhen you request a certificate, you initiate a life cycle that continues for thelifetime of that credential. That life cycle ends when the certificate is revoked orwhen it expires.

If a certificate is renewed, a new record is created in the registration database.

RenewabilityThe renewability of a certificate is one of the characteristics that you can alter fromthe RA Desktop:v If you make a certificate renewable, the holder can apply for a new one while

the old one is still valid. Possession of a renewable certificate simplifies theenrollment process and the registration effort.


v If you make a certificate non-renewable, the holder must wait until it expires,and then enroll again if they still need a certificate. When they enroll, they mustsupply all the information, as if they were registering for the first time.

Some users can submit their own renewal requests:v Users with renewable browser certificates can request renewal on the enrollment

Web page.v Users with renewable certificates for accessing PKIX-compliant applications can

request renewal by using the Trust Authority Client application.

AdministrationBefore you can work as a registrar, you must request and receive a certificate forthe Web browser from which you plan to use the RA Desktop. After getting thebrowser certificate, you must present it each time you want to access the RADesktop. To view or act on any registration records or requests from the RADesktop, you must also have the proper file permissions.

The topics in this section relate to the use and administration of certificates.

Access controlAn access control list (ACL) authenticates and authorizes internal Trust Authorityusers, devices, and software. For example, the RA Desktop support servlet uses theACL to authenticate and authorize registrars before they can access the RADesktop.

Authentication and authorizationAuthentication provides proof of identity, whereas authorization providespermission to do something. Trust Authority enables your organization to insist onboth before users access secure applications. In turn, certificate holders can beconfident that the applications that they are using are secure.

Concurrent administrationTrust Authority provides a single registration domain, but more than one registrarcan work within that domain. The design of the RA Desktop servlet and the RAprevent anyone from updating a record if someone else is already working with it.However, more than one administrator can view the same record simultaneously.

RA Desktop support servletThe RA Desktop support servlet is a Trust Authority application that provides theRA Desktop services to registrars. The servlet returns information when a registrarruns a query, and it updates records when an registrar authorizes changes to them.

Request profilesTrust Authority provides a default set of request profiles that your organizationcan use to simplify registration and certification. A request profile controls theattributes and processing of an enrollment request. Each request profile includes atemplate for a certificate. There are various request profiles for the supportedcertificate categories.

The name of the request profile for an item is one of its attributes. If necessary, youcan specify a different request profile when you approve the enrollment request.


You might see one request profile name listed with the Request attributes, andanother one listed with the Basic attributes. This means that a registrar or an RAprocess overrode the request profile at some point. The profile in the Requestattributes was frozen with other attributes of the enrollment request. The profile inthe Basic attributes is the current request profile.



Chapter 5. Reference

The topics in this section include field descriptions, valid field values, and themeanings of attributes that are displayed on the RA Desktop. Topics are organizedon the basis of where on the RA Desktop you would need the information.

Query tabOn the Query tab, you can prepare a query that retrieves certificate or enrollmentrequest information.

The tab has the following features:v Fields for preparing your query.v A Submit Query button for running your query.v Help for your task:

– A status area at the bottom of a tab. This displays field-specific help, TrustAuthority messages, and a progress bar during processing.

– A Help button for the tab.

When the results of your query are ready, the RA Desktop automatically displaysthe Results tab.

Query fieldsUse as many fields as you need to in preparing your query. Some fields are notavailable if they are mutually exclusive with others you have chosen:v At Query type, click one of the following:

– By status, name, and update date, to retrieve records of enrollment requestsor certificates on the basis of their status.

– By renewability and expiration, to retrieve records of certificates for whichyou need renewability or expiration information.

v If at Query type you selected By status, name, and update date, you can refineyour query as needed by using the following fields:– Use the list at Status to retrieve items of every status or only items with one

specific status. From the list, select one of the following Request Status values.The default selection is Pending.

All Retrieves enrollment requests regardless of their status.

ReceivedRetrieves newly received enrollment requests.

PendingRetrieves requests that have not been approved or rejected. Somepending requests are new and require your decision. Others areawaiting some further information before you can deal with them.This is the default value.

ApprovedRetrieves requests an RA or registrar has approved. The status of theassociated certificate may vary.

RejectedRetrieves requests an RA or registrar has refused to approve.


CompletedRetrieves requests that an RA or registrar has either approved orrejected. For approved requests with this status, the certificate hasbeen delivered to the user.

– Use the following fields to retrieve only the records of requests or certificatesassociated with a specific name:- At Last Name, type a last name, family name, or surname. You can also

type the first letters of a name to retrieve all the names that begin withthose letters. For example, if you type Smi, you would retrieve records forSmith, Smithers, Smiley, and other last names that begin with ″Smi″.

- At First Name, type a first name. You can also type the first letters of aname to retrieve all the names that begin with those letters. For example, ifyou type ″Joh*″, you would retrieve records with the first name Johanna,John, Johan, and other first names that begin with ″Joh.″

– Use Range of dates for last update to retrieve only items that were lastupdated during a certain period. Specify a range of dates.- There is no default date.- If you do not specify a date in either field, you retrieve all the records that

match the rest of your query.

To supply a date, click the calendar to open it and then click the date youwant. If you type the date, use the same format the calendar uses to fill thetext box.

From The earliest date in the range.

If you leave this field blank, your query retrieves every record thatwas updated on and before the date in the To field.

To The most recent date in the range.

If you leave this field blank, your query retrieves every record thatwas updated on and after the date in the From field.

v If at Query type you selected By renewability and expiration, you can refineyour query as needed by using the following fields:– Use the list at Renewability to base your query on whether a certificate is

renewable. From the list, select one of the following values:

RenewableThe certificate can be renewed if it has not yet expired.

Non-renewableThe certificate cannot be renewed.

– Use Range of expiration dates to retrieve only items that are due to expireduring a certain period. Specify a range of dates.- There is no default.- If you do not specify a date in either field, you retrieve all the records that

match the rest of your query.

To supply a date, click the calendar to open it and then click the date youwant. If you type the date, use the same format the calendar uses to fill thetext box.

From The earliest expiration date.

If you leave this field blank, your query retrieves every record thatexpired, or will expire, on and before the date in the To field.

To The latest expiration date.


If you leave this field blank, your query retrieves every record thatexpired, or will expire, on and after the date in the From field.

v Use either or both of the following fields to control the processing and displayof your query:

Retrieval limitThe maximum number of records to retrieve, no matter how manyrecords match your query. Select one of the following:– 50– 100– 150– 250 (default)– Unlimited (retrieves all matching records)

Page sizeThe number of records to display on each page of the Results tab. Youcan move through these pages to find the needed records in your queryresults. Either select one of the following or type a number over thedisplayed default.– 10– 15 (default)– 20– 25

Predefined queriesThe only predefined query is the default query, which retrieves all pendingrequests.

Retrieval limit optionsOn the Query tab, your options for setting a Retrieval limit are:v 50v 100v 150v 250 (default)v Unlimited (retrieves all the matching records)

These options affect the number of records in your query results on the Resultstab.

Records per page optionsOn the Query tab, your options for Records per page are:v 10v 15 (default)v 20v 25v Any number you type over the displayed default

These options affect the display of your query results on the Results tab.

Results tabOn the Results tab, you see the results of running your query. The tab has thefollowing features:v A table that contains the results of your query.

– Each row contains the record of an item that matches your query.

Chapter 5. Reference 33

– You can sort the rows on the basis of values in a column.– You can resize the columns to change their widths.– You can scroll through your results if a page of the table is longer than the

display.– If your results are on multiple pages, you can click Next Page and Previous

Page to look at them.

Note: You may notice a delay when you request the next page or theprevious page. Pages are retrieved from the server as you need them,so only the current page is available locally.

v Fields for setting the validity period of a certificate, if desired.v A field for specifying a different request profile, if desired, when you approve a

request.v A selection list of the actions available for processing one or more selected items.

If the action is Revoke, there is also a selection list of reasons for revocation.v A comment field where you can comment on the action you take.v A Show Details button for displaying a record in greater detail. If you click this,

the RA Desktop displays the Details tab.v A Submit Action button for completing the action you select.v Help for your task:



By clicking the Query tab, you can return there to refine your query or prepareanother one.

Administrative actionsYour permissions for working with records are the only actions available to you.You might see any of the following.

ApproveThis approves the enrollment request, so the enrollee can have therequested certificate.

Keep pendingDelays a decision. Use this when you need to get information from anoutside source or just want to add a comment to the record.

Reject Denies the enrollment request.

RevokeEnds the validity of a certificate.

Note: If you revoke a certificate with the reason Put on hold, you canreverse the action later, unless the certificate has expired. Simplyrevoke it again, with the reason Remove from CRL.

Make request non-renewableChanges a renewable certificate to non-renewable.

Make request renewableChanges a non-renewable certificate to renewable.


No action is availableIndicates that you only have authority to view the records in theregistration domain.

Reasons for revoking a certificateWhen you revoke a certificate, you must select a reason for doing so. Thefollowing are valid reasons you can select when you revoke a certificate.

When you display details of a record and look at its Processing attributes, theRevocation Reason attribute may contain one of these values:

CA key was compromisedThe key of the Certificate Authority was compromised.

Certificate was supersededThe user has a new certificate and does not need this one.

No reasonThe user requested revocation without giving a reason.

Original use no longer validThe certificate holder no longer needs the certificate for its original use.

User changed affiliationThe user no longer has the affiliation that required the certificate.

User key was compromisedThe user’s private key was compromised.

Note: The following reasons cause modifications to the revocation action:

Put certificate on holdAlters the revocation action to make a certificate inactive, rather thanrevoking it. You can activate the certificate later if it does not expire whileit is on the CRL. See Remove from CRL, below.

Remove from CRLAlters the revocation action for a certificate that is on hold:v If the certificate has expired, this removes it from the CRL to clean up

the CRL.v If the certificate has not expired, this reactivates it.

Details tabOn the Details tab, you see the details of the record you selected from those thatmatched your query. The tab has the following features:v A list for selecting the type of detail you want to view. The list includes the

action history of the item and several groups of attributes that belong to theitem. “Detail groups” on page 38 describes these groups.

v A table that displays the type of detail you have selected:– If you display the attributes, each row contains an attribute and its value. You

can update some of the values at the time you approve an enrollment request.– If you display the action history, each row represents an action that was taken

on the item.– You can sort the rows on the basis of values in a column.– You can resize the columns to change their widths.

v Fields for setting the validity period of a certificate, if desired.


v A field for specifying a different request profile, if desired, when you approve arequest.

v A selection list of the actions available to you. If the action is Revoke, there isalso a selection list of reasons for revocation.

v A comment field where you can comment on the action you take.v A Refresh Details button for updating the display.v A Submit Action button for completing the action you select.v Help for your task:



By clicking the Query tab, you can return there to refine your query or prepareanother one. By clicking the Results tab, you can return there to continue workingwith the results of your query.

Action history eventsThe query results table on Results tab and the action history table on the Detailstab have similar columns. The Request status column describes RA action on theenrollment request. The Fulfillment status column describes the status ofprocessing for the request.v On the Results tab, the query results table displays the current status for each

item in your query results.v On the Details tab, columns of the action history table display each previous

status, as well as the current status of the displayed item.

Attributes of requests and certificatesThe following attributes are classified as Request Attributes. You can alter thevalues of some attributes.

Business Process VariablesValues that are supplied by the organization during the enrollment process.Reasons for revocation of a certificate are available in this attribute.

Credential Expiration DateThe date that the certificate is due to expire.

Credential Renewable StatusIndicates whether the certificate can be renewed.

Credential UUIDThe Universal Unique Identifier, a primary key that is generated to providean index to the database record.

Error CodeAn internal code that signifies the type of error that occurred. This fieldand the Error Source field describe the same error.

Error SourceThe process or other element of Trust Authority where an error occurredduring processing of RA Desktop requests.

First NameThe first element of the applicant’s full name. Although this is typically theapplicant’s first name, the value might also include the middle name ormiddle initial.


Fulfillment StatusStatus of processing for the request. The action history displays this status.“Status of enrollment requests” on page 39 describes each status value.

Last NameThe applicant’s last name, family name, or surname.

Previous Request IDAn encoded string that represents the ID generated for an earlierregistration request, if the certificate has been renewed.

Registration DomainThe registration domain that provides secure resources for the holder of acertificate.

Request IDAn encoded string that represents the ID generated for a registrationrequest.

Request Profile nameControls for processing the enrollment request. This profile includes atemplate for the certificate. Values in this profile override any othermodifications you might make if they are at odds with the profile.“Supplied certificate types” describes the features of the certificate that isassociated with each request profile.

Note: When you view the attributes for a record, you may see two requestprofiles listed. The Request attributes may list one, and the Basicattributes may list another. This means that a registrar overrode therequest profile at some point in the past. The profile in the Requestattributes was frozen with other attributes of the enrollment request.The profile in the Basic attributes is the current request profile.

Request StatusStatus of the enrollment request. The action history displays this status.“Status of enrollment requests” on page 39 describes each status value.

Request VariablesValues the requester supplied during the enrollment process.

Certificate extensionsExtensions are added to a certificate in the form of name=value pairs, and may beamong the attributes that are displayed for a certificate. The following certificateextensions are acceptable for the certificates of individuals who want to use asecure application:v Basic Constraintsv Key Usagev Name Constraintsv Private Key Usage Periodv Subject Alternate Name

Supplied certificate typesA Trust Authority system provides multiple certificate types for the supportedcertificate categories and protocols. Variations include different validity periods.The name of the certificate is an indicator of how long it is valid and the primaryuse of the key. See the Glossary for descriptions of the various features


CA Cross-certificateEnables the CA that holds it to have its certificates trusted by the issuingCA. The certificate provides digital signature and non-repudiation.

1– and 2–year Data EnciphermentEnables the holder to encrypt data. The certificate is not intended for otherpurposes.

1- and 2-year E-mail ProtectionEnables the holder to use the Secure Multi-Purpose Internet Mail Exchange(S/MIME) protocol. This protocol protects e-mail or other mime objects. Itprovides authentication of origin, message integrity, non-repudiation oforigin, and confidentiality. It is a typical choice for an end user.

1- and 2-year IPSecAssures the integrity and confidentiality of data that is sent over theInternet in Internet protocol packets. An IPSec certificate is for data ratherthan users, and is often assigned to a router.

1- and 2-year Key Encipherment OnlyEnables the holder to encrypt keys. The certificate is not intended for otherpurposes.

1- and 2-year Non-repudiationProvides message encryption and digital signing capabilities, to preventnon-repudiation of the origin of a message or non-repudiation of itsdelivery.

1- and 2-year Signing OnlyEnables the holder to sign a file digitally. The certificate is not intended forother purposes.

1- and 2-year Web Client AuthenticationEnables a Web browser to participate in a client-authenticated SSL session.With this certificate, the user of the browser can access a specific secureWeb site. The certificate provides digital signature, non-repudiation, andkey encipherment. It is a typical choice for an end user.

1- and 2-year Web Server AuthenticationEnables a server to participate in a server-authenticated SSL session. Thecertificate provides digital signature and key encipherment.

Enrollees or people who preregister for someone else can request a suitablecertificate type. When you assign a Request Profile, it contains a template for oneof the certificate types.

Note: The list you see might not match this list. Your organization might havechanged the names or even the offerings. The list you see also depends onyour permissions for the registration domain.

Detail groupsOn the Details tab, you can use the Display field to select the group of attributesyou want to see. Not all details are viewable from the RA Desktop. Some attributesappear in more than one group. The kinds of details you can view are:

Basic attributesAttributes intrinsically associated with a database record.

Request attributesAttributes that describe the enrollment request.


Processing attributesAttributes that describe processing that is in accordance with your businesspolicy. These attributes include the Revocation Reason attribute. Its valuehelps you identify certificates that have been put on hold, or have beenremoved from the CRL to reinstate them.

Action historyA table of all the actions that were taken on the request or on the fulfilledrequest.

Status of enrollment requestsAll the statuses are events in the action history.

Request Statuses include the following:

ApprovedThe registration request has been approved.

CompletedAn RA or registrar has either approved or rejected the registration request.For an approved request, a certificate has been delivered to the user.

Note: This is the final Request Status for a registration request. TheFulfillment Status of a Completed request refers to subsequentactions and events that affect the request. For example, if acertificate is renewed or revoked, the Fulfillment Status indicates it,but the Request Status still is Completed.

PendingThe registration request may have been reviewed, but it still awaitsapproval or rejection.

ReceivedA registration request has been received.

RejectedThe registration request was rejected. A certificate was not issued.

Fulfillment Statuses include the following:

DeliveredThe certificate has been delivered to the Web page where the user canaccept it.

Delivery confirmedThe user has downloaded the certificate to the Web browser.

Issued The registration request has been approved, and the certificate has beenissued.

Not issuedThe certificate has not been issued yet. This status does not indicatewhether action has been taken on the request.

RenewedThe certificate associated with a record has been renewed, resulting in anew record and a new certificate.

RevokedThe certificate associated with a record has been revoked, rendering itvoid.


Help for tabsThe RA Desktop provides the following help, which is common to all its tabs:

A status areaThis area, at the bottom of the tab displays the following:

Field-specific helpWhen your mouse is over a field, help is displayed for that field.

Trust Authority messagesThese are displayed in a scrollable text box, along with an icon thatindicates whether the message is a warning or an error.

A progress barThis shows the progress of any processing you have requested.

A Help buttonYou can click this to display help for the tab you are using.

Note: The help you display also contains the table of contents for theRegistration Authority Desktop Guide. You can display any topic in thebook by clicking its entry in the table of contents.

Related topics:

“Move between tabs” on page 15

JVM for Internet ExplorerBefore installing the RA Desktop for use with Internet Explorer, you must have thefollowing release of Java Virtual Machine (JVM):v Release 5.00, build 3167 or later

To determine which version of MS JVM you have, do one of the following:v Open the Java console from Internet Explorer.v Open a DOS command line and type the following: jview

The reported version number should be 5.00.3167 or later.

If you need to upgrade your JVM, you can download the needed release from theMicrosoft Technologies for Java Web page.

Keyboard alternatives to the mouseConsult the following table if you must use the RA Desktop without a mouse.

Cursor/Focus location Keystroke

General

Reinitiate your session after a timeout F5 key

Exit the RA Desktop. Ctrl-x

Get help for the currently displayed tab. F1 key

Working within a tab


/iaud.htm


Move to a tab label from most fields Ctrl-Up arrow

Select another tab label and display thattab.

Right arrow goes to the next tab.Left arrow goes to the previoustab.

Scroll within a tab. PgDn scrolls downward. PgUpscrolls upward.

Working within fields

Move to the next field from most fields. Tab

Move to the previous field from mostfields.

Shift-Tab

Move to the next field from a table or atext area.

Ctrl-Tab

Move to the previous field from a table ora text area.

Ctrl-Shift-Tab

Working within a table

Sort rows by a column value. Alt-n, where n is the index of thecolumn in the display. Forexample, to sort by the secondcolumn, press Alt-2.

Resize a column. Not possible without a mouse.

Move from row to row and select a row. Down arrow moves down a row.Up arrow moves up a row.

Select a range of rows. Shift-Up arrow or Shift-Downarrow selects each row in therange.

Select discontiguous rows. Not possible without a mouse.

Move from cell to cell within a row. Tab moves right one cell. Shift-Tabmoves left one cell.

Edit the current cell, if it is editable. F2 key opens a cell for editing.Enter commits the changes andexits the cell. Esc exits the cellwithout commiting changes.

Working with the items in a list

Open a list. Up arrow or Down arrow.

Move through the list of items. Down arrow moves down. Uparrow moves up.

Select an item from the list and close thelist.

Enter key

Close the list without changing theselection.

Esc key

Exit and move to the next field. Tab

Working with a set of radio buttons (a set is considered one field)

Move through the radio buttons and selectone.

Down arrow moves down, Uparrow moves up.

Exit the field. Tab

Setting a date



Move the cursor within the date field. Right arrow moves right. Leftarrow moves left.

Open the calendar from the date field. Up arrow or Down arrow

Change the year on the calendar. Ctrl-PgDn moves ahead a year.Ctrl-PgUp moves back a year

Change the month on the calendar. PgDn moves ahead a month. PgUpmoves back a month

Change to the beginning or end of themonth on the calendar.

Home moves to the beginning ofthe month. End moves to the endof the month.

Change the week on the calendar. Down arrow moves down oneweek. Up arrow moves up oneweek.

Change the day on the calendar. Right arrow moves to the right oneday. Left arrow moves to the leftone day.

Move to today’s date on the calendar. Ctrl-Home

Select the highlighted date. Enter

Close the calendar without selecting adate.

Esc

Work with command buttons

Move to a command button. Tab

Execute the command. Space bar or Enter key

TroubleshootingThis section provides usage guidelines and troubleshooting suggestions forrunning the RA Desktop.v When using the Microsoft Internet Explorer browser, you may see the following

user interface-related problems:– If you receive an error relating to SSL, select Tools → Internet Options. On the

Internet Options Settings window, select the Advanced tab and click on theRestore Defaults button. This will reactivate SSL 3.0. Click OK and close allopen Internet Explorer windows. Restart the RA Desktop.

– The Result table contains no records after a query reported that a number ofrecords were returned.This problem is due to a delay in painting the applet. You can resolve it byclicking the browser’s Refresh button to restart the applet.

– The items from the combo box cannot be selected using the mouse.This problem occurs if a pop-up window falls outside the applet region. Thiswill occur in the List and Details panels if you select one of the combo boxeswithout scrolling down the panel. This causes the combo box to pop upbelow the applet’s bottom boundary.The solution is to select the combo box by using the keyboard. Use the Up orDown arrow, and then press Enter or the space bar. Alternatively, you canscroll the panel to position the combo box higher and more toward themiddle of the applet.


Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user’s responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter inthis document. The furnishing of this document does not give you any license tothese patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation Licensing2-31 Roppongi 3-chome, Minato-kuTokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the information. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thisinformation at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.


Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM CorporationDepartment LZKS11400 Burnet RoadAustin, TX 78758U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM’s future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM’s suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

Trademarks and service marksThe following terms are trademarks of International Business MachinesCorporation in the United States, or other countries, or both:

IBMAIXAIX/6000DB2DB2 Universal DatabaseSecureWayWebSphere

The Trust Authority program (″the Program″) includes portions of DB2 UniversalDatabase. You are authorized to install and use these components only inassociation with your licensed use of the Program for the storage and managementof data used or generated by the Program, and not for other data management


purposes. For example, this license does not include inbound connections to thedatabase from other applications for queries or report generation. You areauthorized to install and use these components only with and on the samemachine as the Program.

The Program includes portions of the IBM WebSphere Application Server and theIBM HTTP Web Server (″IBM Servers″). You are not authorized to install or use theIBM Servers other than in connection with your licensed use of the Program. TheIBM Servers must reside on the same machine as the Program, and you are notauthorized to install or use the IBM Servers separate from the Program.

Java and all Java-based trademarks and logos are trademarks of Sun Microsystems,Inc. in the United States, other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark in the United States, other countries, or both and islicensed exclusively through X/Open Company Limited.

Pentium is a trademark of Intel Corporation in the United States, other countries,or both.

This program contains security software from RSA Data Security, Inc.Copyright © 1994 RSA Data Security, Inc. All rights reserved.

This program contains Standard Template Library (STL) software fromHewlett-Packard Company. Copyright (c) 1994.v Permission to use, copy, modify, distribute and sell this software and its

documentation for any purpose is hereby granted without fee, provided that theabove copyright notice appear in all copies and that both that copyright noticeand this permission notice appear in supporting documentation.Hewlett-Packard Company makes no representations about the suitability of thissoftware for any purpose. It is provided ″as is″ without express or impliedwarranty.

This program contains Standard Template Library (STL) software from SiliconGraphics Computer Systems, Inc. Copyright (c) 1996–1999.v Permission to use, copy, modify, distribute and sell this software and its

documentation for any purpose is hereby granted without fee, provided that theabove copyright notice appear in all copies and that both that copyright noticeand this permission notice appear in supporting documentation. Silicon Graphicsmakes no representations about the suitability of this software for any purpose.It is provided ″as is″ without express or implied warranty.

Other company, product, and service names may be trademarks or service marksof others.

Notices 45


Related information

The Trust Authority product documentation is available in Portable DocumentFormat (PDF) and HTML format on the IBM SecureWay Trust AuthorityDocumentation CD-ROM. HTML versions of some publications are installed withthe product and are accessible from the user interfaces.

Be aware that the product may have changed since the publications wereproduced. For the latest product information, and for information about accessinga publication in the language and format of your choice, see the Readme file. Thelatest version of the Readme file is available on theIBM SecureWay Trust AuthorityWeb site:http://www.tivoli.com/support

The Trust Authority library includes the following documentation:

Up and RunningThis book provides an overview of the product. It lists the productrequirements, includes installation procedures, and provides informationabout how to access the online help available for each product component.This book is printed and distributed with the product.

System Administration GuideThis book contains general information about administering the TrustAuthority system. It includes procedures for starting and stopping theservers, changing passwords, administering the server components,performing audits, and running data integrity checks.

Configuration GuideThis book contains information about how to use the Setup Wizard toconfigure a Trust Authority system. You can access the HTML version ofthis guide while viewing online help for the Wizard.

Registration Authority Desktop GuideThis book contains information about how to use the RA Desktop toadminister certificates throughout the certificate life cycle. You can accessthe HTML version of this guide while viewing online help for the Desktop.

User’s GuideThis book contains information about how to obtain and managecertificates. It provides procedures for using the Trust Authority browserenrollment forms to request, renew, and revoke certificates. It alsodiscusses how to preregister for PKIX-compliant certificates, and how touse the Trust Authority Client to manage these certificates. You can accessthe HTML version of this guide while viewing online help for the Client.

Customization GuideThis book shows you how to customize the Trust Authority registrationfacility to support the registration and certification goals of your businesspolicies. For example, you can learn how to customize HTML and JavaServer pages, notification letters, certificate profiles, and policy exits.

The Trust Authority Web site includes other documents that may help you install,administer, and use Trust Authority. For example, you can find supplementalguidelines on the Directory schema and learn how to integrate Trust Authoritywith the IBM SecureWay 4758 PCI Coprocessor.



/iaug.htm

/iaus.htm

/iauc.htm

/iaud.htm

/iauu.htm

/iaut.htm



Glossary

This glossary defines the terms and abbreviationsin this book that may be new or unfamiliar andterms that may be of interest. It includes termsand definitions from:v The IBM Dictionary of Computing, New York:

McGraw-Hill, 1994.v The American National Standard Dictionary for

Information Systems, ANSI X3.172–1990,American National Standards Institute (ANSI),1990.

v The Answers to Frequently Asked Questions,Version 3.0, California: RSA Data Security, Inc.,1998.

Numbers4758 PCI Cryptographic Coprocessor. Aprogrammable, tamper-responding cryptographicPCI-bus card offering high performance DES and RSAcryptographic processing. The cryptographic processesoccur within a secure enclosure on the card. The cardmeets the stringent requirements of the FIPS PUB 140-1level 4 standard. Software can run within the secureenclosure. For example, credit card transactionprocessing can use the SET standard.

AAbstract Syntax Notation One (ASN.1). An ITUnotation that is used to define the syntax ofinformation data. It defines a number of simple datatypes and specifies a notation for identifying thesetypes and for specifying values of these types. Thesenotations can be applied whenever it is necessary todefine the abstract syntax of information withoutcurbing how the information is encoded fortransmission.

access control list (ACL). A mechanism for limitingthe use of a specific resource to authorized users.

ACL. Access control list.

action history. Accumulated events in the life cycle ofa credential.

American National Standard Code for InformationInterchange (ASCII). The standard code that is usedfor information interchange among data processingsystems, data communication systems, and associatedequipment. The ASCII set uses a coded character setthat consists of 7-bit coded characters (8 bits including

a bit for parity checking). The character set consists ofcontrol characters and graphic characters.

American National Standards Institute (ANSI). Anorganization that establishes the procedures by whichaccredited organizations create and maintain voluntaryindustry standards in the United States. It consists ofproducers, consumers, and general interest groups.

ANSI. American National Standards Institute.

applet. A computer program that is written in Javaand runs inside a Java-compatible Web browser. Alsoknown as a Java applet.

ASCII. American National Standard Code forInformation Interchange.

ASN.1. Abstract Syntax Notation One.

asymmetric cryptography. Cryptography that usesdifferent, asymmetric keys for encryption anddecryption. Each user receives a pair of keys: a publickey accessible to all, and a private key known only tothe user. A secure transaction can occur when thepublic key and the corresponding private key match,enabling the decryption of the transaction. This is alsoknown as key pair cryptography. Contrast withsymmetric cryptography.

asynchronous communication. A mode ofcommunication that does not require the sender andrecipient to be present simultaneously.

audit client. Any client in the system that sends auditevents to the Trust Authority Audit server. Before anaudit client sends an event to the Audit server, itestablishes a connection with the Audit server. After theconnection is established, the client uses the auditsubsystem client library to deliver events to the Auditserver.

audit log. In Trust Authority, a table in a database thatstores one record per audit event.

Audit server. A Trust Authority server that receivesaudit events from audit clients and writes them to anaudit log.

audit subsystem. In Trust Authority, a subsystem thatprovides the support for logging security-relevantactions. It conforms to recommendations in standardX9.57, of the standards set forth in Public KeyCryptography for the Financial Services Industry.

audit trail. Data, in the form of a logical path, thatlinks a sequence of events. An audit trail enablestracing of transactions or the history of a given activity.


authentication. The process of reliably determiningthe identity of a communicating party.

authorization. Permission to access a resource.

Bbase64 encoding. A common means of conveyingbinary data with MIME.

Basic Encoding Rules (BER). The rules specified inISO 8825 for encoding data units described in abstractsyntax notation 1 (ASN.1). The rules specify theencoding technique, not the abstract syntax.

BER. Basic Encoding Rules.

browser. See Web browser.

browser certificate. A digital certificate is also knownas a client-side certificate. It is issued by a CA throughan SSL-enabled Web server. Keys in an encrypted fileenable the holder of the certificate to encrypt, decrypt,and sign data. Typically, the Web browser stores thesekeys. Some applications permit storage of the keys onsmart cards or other media. See also digital certificate.

business process objects. A set of code used toaccomplish a specific registration operation, such aschecking the status of an enrollment request orverifying that a public key was sent.

business process template. A set of business processobjects that are run in a specified order.

bytecode. Machine-independent code that is generatedby the Java compiler and run by the Java interpreter.

CCA. Certificate authority.

CA certificate. A certificate your Web browser accepts,at your request, from a CA it does not recognize. Thebrowser can then use this certificate to authenticatecommunications with servers that hold certificatesissued by that CA.

CA hierarchy. In Trust Authority, a trust structurewhereby one CA is located at the top of the structureand up to four layers of subordinate CAs are locatedbelow. When users or servers are registered with a CA,they receive a certificate signed that is by that CA, andthey inherit the certification hierarchy of the layersabove.

CA server. The server for the Trust AuthorityCertificate Authority (CA) component.

CAST-64. A block cipher algorithm that uses a 64-bitblock size and a 6-bit key. It was designed by CarlisleAdams and Stafford Tavares.

CCA. IBM Common Cryptographic Architecture.

CDSA. Common Data Security Architecture.

certificate authority (CA). The software responsiblefor following an organization’s security policies andassigning secure electronic identities in the form ofcertificates. The CA processes requests from RAs toissue, renew, and revoke certificates. The CA interactswith the RA to publish certificates and CRLs in theDirectory. See also digital certificate.

certificate extension. An optional feature of theX.509v3 certificate format that provides for theinclusion of additional fields in the certificate. There arestandard extensions and user-defined extensions.Standard extensions exist for various purposes,including key and policy information, subject andissuer attributes, and certification path constraints.

certificate policy. A named set of rules that indicatesthe applicability of a certificate to a particular class ofapplications that have common security requirements.For example, a certificate policy might indicate whethera particular certification type allows a user to conducttransactions for goods within a given price range.

certificate profile. A set of characteristics that definethe type of certificate wanted (such as SSL certificatesor IPSec certificates). The profile aids in managingcertificate specification and registration. The issuer canchange the names of the profiles and specifycharacteristics of the desired certificate, such as thevalidity period, key usage, DN constraints, and soforth.

certificate revocation list (CRL). A digitally signed,time-stamped list of certificates that the certificateauthority has revoked. The certificates in this listshould be considered unacceptable. See also digitalcertificate.

certification. The process during which a trusted thirdparty issues an electronic credential that vouches for anindividual, business, or organizational identity.

CGI. Common Gateway Interface.

chain validation. The validation of all CA signaturesin the trust hierarchy through which a given certificatewas issued. For example, if a CA was issued its signingcertificate by another CA, both signatures are validatedduring validation of the certificate that the userpresents.

class. In object-oriented design or programming, agroup of objects that share a common definition andtherefore share common properties, operations, andbehavior.

cleartext. Data that is not encrypted. Synonym forplaintext.


client. (1) A functional unit that receives sharedservices from a server. (2) A computer or program thatrequests a service of another computer or program.

client/server. A model in distributed processing inwhich a program at one site sends a request to aprogram at another site and waits for a response. Therequesting program is called a client; the answering oneis called a server.

code signing. A technique for signing executableprograms with digital signatures. Code signing isdesigned to improve the reliability of software that isdistributed over the Internet.

Common Cryptographic Architecture (CCA). IBMsoftware that enables a consistent approach tocryptography on major IBM computing platforms. Itsupports application software that is written in avariety of programming languages. Applicationsoftware can call on CCA services to perform a broadrange of cryptographic functions, including DES andRSA encryption.

Common Data Security Architecture (CDSA ). Aninitiative to define a comprehensive approach tosecurity service and security management forcomputer-based security applications. It was designedby Intel, to make computer platforms more secure forapplications.

Common Gateway Interface (CGI). Standard methodof transmitting information between Web pages andWeb servers.

confidentiality. The property of not being divulged tounauthorized parties.

credential. Confidential information used to proveone’s identity in an authentication exchange. Inenvironments for network computing, the mostcommon type of credential is a certificate that a CA hascreated and signed.

CRL. Certificate revocation list.

CRL publication interval. Set in the CA configurationfile, the interval of time between periodic publicationsof the CRL to the Directory.

cross-certification. A trust model whereby one CAissues to another CA a certificate that contains thepublic key associated with its private signature key. Across-certified certificate allows client systems or endentities in one administrative domain to communicatesecurely with client systems or end entities in anotherdomain.

cryptographic. Pertaining to the transformation ofdata to conceal its meaning.

cryptography. In computer security, the principles,means, and methods for encrypting plaintext anddecrypting encrypted text.

Ddaemon. A program that carries out tasks in thebackground. It is implicitly called when a conditionoccurs that requires its help. A user need not be awareof a daemon, because the system usually spawns itautomatically. A daemon might live forever or thesystem might regenerate it at intervals.

The term (pronounced demon) comes from mythology.Later, it was rationalized as the acronym DAEMON:Disk And Execution MONitor.

Data Encryption Standard (DES). An encryptionblock cipher, defined and endorsed by the U.S.government in 1977 as an official standard. IBMdeveloped it originally. DES has been extensivelystudied since its publication and is a well-known andwidely used cryptographic system.

DES is a symmetric cryptographic system. When it isused for communication, both the sender and receivermust know the same secret key. This key is used toencrypt and decrypt the message. DES can also be usedfor single-user encryption, such as to store files on ahard disk in encrypted form. DES has a 64-bit blocksize and uses a 56-bit key during encryption. It is wasoriginally designed for implementation in hardware.NIST has recertified DES as an official U.S. governmentencryption standard every five years.

Data Storage Library (DL). A module that providesaccess to persistent data stores of certificates, CRLs,keys, policies, and other security-related objects.

decrypt. To undo the encryption process.

DEK. Document encrypting key.

DER. Distinguished Encoding Rules.

DES. Data Encryption Standard.

Diffie-Hellman. A method of establishing a sharedkey over an insecure medium, named after theinventors (Diffie and Hellman).

digital certificate. An electronic credential that isissued by a trusted third party to a person or entity.Each certificate is signed with the private key of theCA. It vouches for an individual, business, ororganizational identity.

Depending on the role of the CA, the certificate canattest to the authority of the bearer to conducte-business over the Internet. In a sense, a digitalcertificate performs a similar role to a driver’s licenseor a medical diploma. It certifies that the bearer of thecorresponding private key has authority to conductcertain e-business activities.

Glossary 51

A certificate contains information about the entity itcertifies, whether person, machine, or computerprogram. It includes the certified public key of thatentity.

digital certification. See certification.

digital signature. A coded message added to adocument or data that guarantees the identity of thesender.

A digital signature can provide a greater level ofsecurity than a physical signature. The reason for this isthat a digital signature is not an encrypted name orseries of simple identification codes. Instead, it is anencrypted summary of the message that is beingsigned. Thus, affixing a digital signature to a messageprovides solid identification of the sender. (Only thesender’s key can create the signature.) It also fixes thecontent of the message that is being signed (theencrypted message summary must match the messagecontent or the signature is not valid). Thus, a digitalsignature cannot be copied from one message andapplied to another because the summary, or hash,would not match. Any alterations to the signedmessage would also invalidate the signature.

Digital Signature Algorithm (DSA). A public keyalgorithm that is used as part of the Digital SignatureStandard. It cannot be used for encryption, only fordigital signatures.

Directory. A hierarchical structure intended as a globalrepository for information related to communications(such as e-mail or cryptographic exchanges). TheDirectory stores specific items that are essential to thePKI structure, including public keys, certificates, andcertificate revocation lists.

Data in the Directory is organized hierarchically in theform of a tree, with the root at the top of the tree.Often, higher level organizations represent individualcountries, governments, or companies. Users anddevices are typically represented as leaves of each tree.These users, organizations, localities, countries, anddevices each have their own entry. Each entry consistsof typed attributes. These provide information aboutthe object that the entry represents.

Each entry in the Directory is bound with an associateddistinguished name (DN). This is unique when theentry includes an attribute that is known to be uniqueto the real world object. Consider the followingexample DN. In it, the country (C) is US, theorganization (O) is IBM, the organizational unit (OU) isTrust, and the common name (CN) is CA1.

C=US/O=IBM/OU=Trust/CN=CA1

Directory server. In Trust Authority, the IBMSecureWay Directory. This Directory supports LDAPstandards and uses DB2 as its base.

Distinguished Encoding Rules (DER). Providesconstraints on the BER. DER selects just one type of

encoding from those that the encoding rules allow,eliminating all of the sender’s options.

distinguished name (DN). The unique name of a dataentry that is stored in the Directory. The DN uniquelyidentifies the position of an entry in the hierarchicalstructure of the Directory.

DL. Data Storage Library.

DN. Distinguished name.

document encrypting key (DEK). Typically, asymmetric encryption/decryption key, such as DES.

domain. See security domain and registration domain.

DSA. Digital Signature Algorithm.

Ee-business. Business transactions over networks andthrough computers. It includes buying and sellinggoods and services. It also includes transferring fundsthrough digital communications.

e-commerce. Business-to-business transactions. Itincludes buying and selling goods and services (withcustomers, suppliers, vendors, and others) on theInternet. It is a primary element of e-business.

end-entity. The subject of a certificate that is not a CA.

encrypt. To scramble information so that onlysomeone who has the appropriate decryption code canobtain the original information through decryption.

encryption/decryption. Using the public key of theintended recipient to encipher data for that person,who then uses the private key of the pair to decipherthe data.

enrollment. In Trust Authority, the process ofobtaining credentials for use over the Internet.Enrollment encompasses the requesting, renewing, andrevoking of certificates.

enrollment attribute. An enrollment variable that iscontained in an enrollment form. Its value reflects theinformation that is captured during the enrollment. Thevalue of the enrollment attribute remains the samethroughout the lifetime of the credential.

enrollment variable. See enrollment attribute.

extranet. A derivative of the Internet that uses similartechnology. Companies are beginning to apply Webpublishing, electronic commerce, message transmission,and groupware to multiple communities of customers,partners, and internal staff.


FFile Transfer Protocol (FTP). An Internet client/serverprotocol for use in transferring files betweencomputers.

firewall. A gateway between networks that restrictsthe flow of information between networks. Typically,the purpose of a firewall is to protect internal networksfrom unauthorized use from the outside.

FTP. File Transfer Protocol.

Ggateway. A functional unit that allows incompatiblenetworks or applications to communicate with eachother.

HHTML. Hypertext Markup Language.

HTTP. Hypertext Transaction Protocol.

HTTP server. A server that handles Web-basedcommunications with browsers and other programs ina network.

hypertext. Text that contains words, phrases, orgraphics that the reader can click with the mouse toretrieve and display another document. These words,phrases, or graphics are known as hyperlinks.Retrieving them is known as linking to them.

Hypertext Markup Language (HTML). A markuplanguage for coding Web pages. It is based on SGML.

Hypertext Transaction Protocol (HTTP). An Internetclient/server protocol for transferring hypertext filesacross the Web.

IICL. Issued certificate list.

IETF (Internet Engineering Task Force). A group thatfocuses on engineering and developing protocols forthe Internet. It represents an international communityof network designers, operators, vendors, andresearchers. The IETF is concerned with thedevelopment of the Internet architecture and thesmooth use of the Internet.

IniEditor. In Trust Authority, a tool used to editconfiguration files.

instance. In DB2, an instance is a logical databasemanagement environment for storing data and runningapplications. It allows definition of a common set ofconfiguration parameters for multiple databases.

integrity. A system protects the integrity of data if itprevents unauthorized modification (as opposed toprotecting the confidentiality of data, which preventsunauthorized disclosure).

integrity checking. The checking of audit records thatresult from transactions with external components.

internal structure. See schema.

International Standards Organization (ISO). Aninternational organization tasked with developing andpublishing standards for everything from wine glassesto computer network protocols.

International Telecommunication Union (ITU). Aninternational organization within which governmentsand the private sector coordinate globaltelecommunication networks and services. It is theleading publisher of telecommunication technology,regulatory, and standards information.

Internet. A worldwide collection of networks thatprovide electronic connection between computers. Thisenables them to communicate with each other viasoftware devices such as electronic mail or Webbrowsers. For example, some universities are on anetwork that in turn links with other similar networksto form the Internet.

intranet. A network within an enterprise that usuallyresides behind firewalls. It is a derivative of theInternet and uses similar technology. Technically,intranet is a mere extension of the Internet. HTML andHTTP are some of the commonalties.

IPSec. An Internet Protocol Security standard,developed by the IETF. IPSec is a network layerprotocol, designed to provide cryptographic securityservices that flexibly support combinations ofauthentication, integrity, access control, andconfidentiality. Because of its strong authenticationfeatures, it has been adopted by many VPN productvendors as the protocol for establishing securepoint-to-point connections over the Internet.

ISO. International Standards Organization.

issued certificate list (ICL). A complete list of thecertificates that have been issued and their currentstatus. Certificates are indexed by serial number andstate. This list is maintained by the CA and stored inthe CA database.

ITU. International Telecommunication Union.

JJava. A set of network-aware, non-platform-specificcomputer technologies developed by Sun Microsystems,Incorporated. The Java environment consists of the Java

Glossary 53

OS, the virtual machines for various platforms, theobject-oriented Java programming language, andseveral class libraries.

Java applet. See applet. Contrast with Java application.

Java application. A stand-alone program that iswritten in the Java language. It runs outside the contextof a Web browser.

Java class. A unit of Java program code.

Java language. A programming language, developedby Sun Microsystems, designed specifically for use inapplet and agent applications.

Java Virtual Machine (JVM). The part of the Javarun-time environment responsible for interpretingbytecodes.

Kkey. A quantity used in cryptography to encipher ordecipher information.

key pair. Corresponding keys that are used inasymmetric cryptography. One key is used to encryptand the other to decrypt.

KeyStore. A DL for storing Trust Authoritycomponent credentials, such as keys and certificates, inan encrypted format.

LLDAP. Lightweight Directory Access Protocol.

Lightweight Directory Access Protocol (LDAP ). Aprotocol used to access the Directory.

MMAC. Message authentication code.

MD2. A 128-bit message-digest hash function,designed by Ron Rivest. It is used with MD5 in thePEM protocols.

MD4. A 128-bit message-digest hash function,designed by Ron Rivest. It is several times faster thanMD2.

MD5. A one-way message-digest hash function,designed by Ron Rivest. It is an improved version ofMD4. MD5 processes input text in 512-bit blocks,divided into 16 32-bit sub-blocks. The output of thealgorithm is a set of four 32-bit blocks, whichconcatenate to form a single 128-bit hash value. It isalso used along with MD2 in the PEM protocols.

message authentication code (MAC). A secret keythat is shared between the sender and the recipient.

The sender authenticates, and the recipient verifies. InTrust Authority, MAC keys are stored in the KeyStoresfor the CA and Auditing components.

message digest. An irreversible function that takes anarbitrary-sized message and produces a fixed lengthquantity. MD5 is an example of a message digestalgorithm.

MIME (Multipurpose Internet Mail Extensions). Afreely available set of specifications that allows theinterchange of text in languages with different charactersets. it also allows multimedia e-mail among manydifferent computer systems that use Internet mailstandards. For example, the e-mail messages maycontain character sets other than US-ASCII, enrichedtext, images, and sounds.

modulus. In the RSA public key cryptographic system,the product (n) of two large primes: p and q. The bestsize for an RSA modulus depends on one’s securityneeds. The larger the modulus, the greater the security.The current RSA Laboratories–recommended key sizesdepend on the planned use for the key: 768 bits forpersonal use, 1024 bits for corporate use, and 2048 bitsfor extremely valuable keys like the key pair of a CA.A 768-bit key is expected to be secure until at least theyear 2004.

NNational Language Support (NLS). Support within aproduct for differences in locales, including language,currency, date and time format, and numericpresentation.

National Security Agency (NSA). The official securitybody of the U.S. government.

NIST. National Institute of Standards and Technology,formerly known as NBS (National Bureau ofStandards). It promotes open standards andinteroperability in computer-based industries.

NLS. National language support.

nonce. A string that is sent down from a server orapplication, requesting user authorization. The userthat is asked for authentication signs the nonce with aprivate key. The user’s public key and the signed nonceare sent back to the server or application that requestedauthentication. The server then attempts to decipherthe signed nonce with the user’s public key. If thedeciphered nonce is the same as the original nonce thatwas sent, the user is authenticated.

non-repudiation. The use of a digital private key toprevent the signer of a document from falsely denyinghaving signed it.

NSA. National Security Agency.


Oobject. In object-oriented design or programming, anabstraction encapsulating data and the operationsassociated with that data. See also class.

object identifier (OID). An administratively assigneddata value of the type defined in abstract syntaxnotation 1 (ASN.1).

object type. The kind of object that can be stored inthe Directory. For example, an organization, meetingroom, device, person, program, or process.

ODBC. Open Database Connectivity.

Open Database Connectivity (ODBC). A standard foraccessing different database systems.

Open Systems Interconnect (OSI). The name of thecomputer networking standards that the ISO approved.

OSI. Open Systems Interconnect.

PPC card. Similar to a smart card, and sometimes calleda PCMCIA card. This card is somewhat larger than asmart card and usually has a greater capacity.

PEM. Privacy-enhanced mail.

PKCS. Public Key Cryptography Standards.

PKCS #1. See Public Key Cryptography Standards.





PKI. Public key infrastructure.

PKIX. An X.509v3-based PKI.

PKIX certificate management protocol (CMP). Aprotocol that enables connections with PKIX-compliantapplications. PKIX CMP uses TCP/IP as its primarytransport mechanism, but an abstraction layer oversockets exists. This enables support for additionalpolling transports.

PKIX CMP. PKIX certificate management protocol.

PKIX listener. The public HTTP server that aparticular registration domain uses to listen for requestsfrom the Trust Authority Client application.

plaintext. Unencrypted data. Synonym for cleartext.

policy exit. In a registration facility, anorganization-defined program that is called by theregistration application. The rules specified in a policyexit apply the organization’s business and securitypreferences to the enrollment process.

preregistration. In Trust Authority, a process thatallows one user, typically an administrator, to enrollother users. If the request is approved, the RA providesinformation that allows the user to obtain the certificateat a later time using the Trust Authority Clientapplication.

privacy. Protection from the unauthorized disclosureof data.

privacy-enhanced mail (PEM). The Internetprivacy-enhanced mail standard, that the InternetArchitect Board (IAB) adopted to provide secureelectronic mail over the Internet. The PEM protocolsprovide for encryption, authentication, messageintegrity, and key management.

private key. The key in a public/private key pair thatis available only to its owner. It enables the owner toreceive a private transaction or make a digitalsignature. Data signed with a private key can beverified only with the corresponding public key.Contrast with public key. See also public/private keypair.

protocol. An agreed-on convention for inter-computercommunication.

proxy server. An intermediary between the computerthat is requesting access (computer A) and thecomputer that is being accessed (computer B). Thus, ifan end user makes a request for a resource fromcomputer A, this request is directed to a proxy server.The proxy server makes the request, gets the responsefrom computer B, and then forwards the response tothe end user. Proxy servers are useful for accessingWorld Wide Web resources from inside a firewall.

public key. The key in a public/private key pair thatis made available to others. It enables them to direct atransaction to the owner of the key or verify a digitalsignature. Data encrypted with the public key can bedecrypted only with the corresponding private key.Contrast with private key. See also public/private keypair.

Public Key Cryptography Standards (PKCS).Informal inter-vendor standards developed in 1991 byRSA Laboratories with representatives from variouscomputer vendors. These standards cover RSAencryption, the Diffie-Hellman agreement,password-based encryption, extended-certificate syntax,cryptographic message syntax, private-key informationsyntax, and certification syntax.

Glossary 55

v PKCS #1 describes a method for encrypting data byusing the RSA public key cryptosystem. Its intendeduse is in the construction of digital signatures anddigital envelopes.

v PKCS #7 specifies a general format for cryptographicmessages.

v PKCS #10 specifies a standard syntax for certificationrequests.

v PKCS #11 defines a technology-independentprogramming interface for cryptographic devicessuch as smart cards.

v PKCS #12 specifies a portable format for storing ortransporting a user’s private keys, certificates,miscellaneous secrets, and so forth.

public key infrastructure (PKI). A standard forsecurity software that is based on public keycryptography. The PKI is a system of digital certificates,certificate authorities, registration authorities, certificatemanagement services, and distributed directoryservices. It is used to verify the identity and authorityof each party involved in any transaction over theInternet. These transactions might involve operationswhere identity verification is required. For example,they might confirm the origin of proposal bids, authorsof e-mail messages, or financial transactions.

The PKI achieves this by making the public encryptionkeys and certificates of users available forauthentication by a valid individual or organization. Itprovides online directories that contain the publicencryption keys and certificates that are used inverifying digital certificates, credentials, and digitalsignatures.

The PKI provides a means for swift and efficientresponses to verification queries and requests for publicencryption keys. It also identifies potential securitythreats to the system and maintains resources to dealwith security breaches. Lastly, the PKI provides adigital timestamping service for important businesstransactions.

public/private key pair. A public/private key pair ispart of the concept of key pair cryptography(introduced in 1976 by Diffie and Hellman to solve thekey management problem). In their concept, eachperson obtains a pair of keys, one called the public keyand the other called the private key. Each person’spublic key is made public while the private key is keptsecret. The sender and receiver do not need to sharesecret information: all communications involve onlypublic keys, and no private key is ever transmitted orshared. It is no longer necessary to trust somecommunications channel to be secure againsteavesdropping or betrayal. The only requirement is thatpublic keys must be associated with their users in atrusted (authenticated) manner (for instance, in atrusted directory). Anyone can send a confidentialmessage by using public information. However, themessage can be decrypted only with a private key,which is in the sole possession of the intended

recipient. Furthermore, key pair cryptography can beused not only for privacy (encryption), but also forauthentication (digital signatures).

RRA. Registration authority.

RA Desktop. A Java applet that provides RAs with agraphical interface for processing requests forcredentials and administering them throughout theirlifetime.

RA server. The server for the Trust AuthorityRegistration Authority component.

RC2. A variable key-size block cipher, designed byRon Rivest for RSA Data Security. RC stands for Ron’sCode or Rivest’s Cipher. It is faster than DES and isdesigned as a drop-in replacement for DES. It can bemade more secure or less secure against exhaustive keysearch than DES by using appropriate key sizes. It hasa block size of 64 bits and is about two to three timesfaster than DES in software. RC2 can be used in thesame modes as DES.

An agreement between the Software PublishersAssociation (SPA) and the United States governmentgives RC2 special status. This makes the exportapproval process simpler and quicker than the usualcryptographic export process. However, to qualify forquick export approval a product must limit the RC2key size to 40 bits with some exceptions. An additionalstring can be used to thwart attackers who try toprecompute a large look-up table of possibleencryptions.

registrar. A user who has been authorized to accessthe RA Desktop, to administer certificates and requestsfor certificates.

registration authority (RA). The software thatadministers digital certificates to ensure that anorganization’s business policies are applied from theinitial receipt of an enrollment request throughcertificate revocation.

registration database. Contains information aboutcertificate requests and issued certificates. The databasestores enrollment data and all changes to the certificatedata throughout its life cycle. The database can beupdated by RA processes and policy exits, or byregistrars.

registration domain. A set of resources, policies, andconfiguration options related to specific certificateregistration processes. The domain name is a subset ofthe URL that is used to run the registration facility.

registration facility. A Trust Authority applicationframework that provides specialized means of enrolling


entities (such as browsers, routers, e-mail, and secureclient applications) and managing certificatesthroughout their life cycle.

registration process. In Trust Authority, the steps forvalidating a user, so that the user and the user’s publickey can become certified and participate intransactions. This process can be local or Web-based,and can be automated or administered by humaninteraction.

repudiate. To reject as untrue; for example, to denythat you sent a specific message or submitted a specificrequest.

request ID. A 24- to 32-character ASCII value thatuniquely identifies a certificate request to the RA. Thisvalue can be used on the certificate request transactionto retrieve the status of the request or the certificatethat is associated with it.

RSA. A public key cryptographic algorithm that isnamed for its inventors (Rivest, Shamir, and Adelman).It is used for encryption and digital signatures.

Sschema. As relates to the Directory, the internalstructure that defines the relationships betweendifferent object types.

Secure Electronic Transaction (SET). An industrystandard that facilitates secure credit card or debit cardpayment over untrusted networks. The standardincorporates authentication of cardholders, merchants,and card-issuing banks because it calls for the issuanceof certificates.

Secure Sockets Layer (SSL ). An IETF standardcommunications protocol with built-in security servicesthat are as transparent as possible to the end user. Itprovides a digitally secure communications channel.

An SSL-capable server usually accepts SSL connectionrequests on a different port than requests for standardHTTP requests. SSL creates a session during which theexchange signals to set up communications betweentwo modems need to occur only once. After that,communication is encrypted. Message integritychecking continues until the SSL session expires.

security domain. A group (a company, work group orteam, educational or governmental) whose certificateshave been certified by the same CA. Users withcertificates that are signed by a CA can trust theidentity of another user that has a certificate signed bythe same CA.

server. (1) In a network, a data station that providesfunctions to other stations; for example, a file server. (2)In TCP/IP, a system in a network that handles therequests of a system at another site, called aclient/server.

server certificate. A digital certificate, issued by a CAto enable a Web server to conduct SSL-basedtransactions. When a browser connects to the server byusing the SSL protocol, the server sends the browser itspublic key. This enables authentication of the identityof the server. It also enables encrypted information tobe sent to the server. See also CA certificate, digitalcertificate, and browser certificate.

servlet. A server-side program that gives Java-enabledservers additional functionality.

SET. Secure Electronic Transaction.

SGML. Standard Generalized Markup Language.

SHA-1 (Secure Hash Algorithm). An algorithm thatwas designed by NIST and NSA for use with theDigital Signature Standard. The standard is the SecureHash Standard; SHA is the algorithm that the standarduses. SHA produces a 160-bit hash.

sign. To use your private key to generate a signature.The signature is a means of proving that you areresponsible for and approve of the message you aresigning.

signing/verifying. To sign is to use a private digitalkey to generate a signature. To verify is to use thecorresponding public key to verify the signature.

Simple Mail Transfer Protocol (SMTP). A protocolthat transfers electronic mail over the Internet.

site certificate. Similar to a CA certificate, but validonly for a specific Web site. See also CA certificate.

smart card. A piece of hardware, typically the size of acredit card, for storing a user’s digital keys. A smartcard can be password-protected.

S/MIME. A standard that supports the signing andencryption of e-mail transmitted across the Internet. SeeMIME.

SMTP. Simple Mail Transfer Protocol.

SSL. Secure Sockets Layer.

Standard Generalized Markup Language (SGML). Astandard for describing markup languages. HTML isbased on SGML.

symmetric cryptography. Cryptography that uses thesame key for both encryption and decryption. Itssecurity rests in the key — revealing the key meansthat anyone could encipher and decipher messages. Thecommunication remains secret only as long as the keyremains secret. Contrast with asymmetric cryptography.

symmetric key. A key that can be used for bothencryption and decryption. See also symmetriccryptography.

Glossary 57

Ttarget. A designated or selected data source.

TCP/IP. Transmission Control Protocol/InternetProtocol.

top CA. The CA at the top of a PKI CA hierarchy.

TP. Trust Policy.

transaction ID. An identifier provided by the RA inresponse to a preregistration enrollment request. Itenables a user running the Trust Authority Clientapplication to obtain the pre-approved certificate.

Transmission Control Protocol/Internet Protocol(TCP/IP ). A set of communication protocols thatsupport peer-to-peer connectivity functions for localand wide area networks.

triple DES. A symmetric algorithm that encrypts theplaintext three times. Although many ways exist to dothis, the most secure form of multiple encryption istriple-DES with three distinct keys.

Trust Authority. An integrated IBM SecureWaysecurity solution that supports the issuance, renewal,and revocation of digital certificates. These certificatescan be used in a wide range of Internet applications,providing a means to authenticate users and ensuretrusted communications.

trust domain. A set of entities whose certificates havebeen certified by the same CA.

trusted computer base (TCB). The software andhardware elements that collectively enforce anorganization’s computer security policy. Any element orpart of an element that can effect security policyenforcement is security-relevant and part of the TCB.The TCB is an object that is bounded by the securityperimeter. The mechanisms that carry out the securitypolicy must be non-circumventable, and must preventprograms from gaining access to system privileges towhich they are not authorized.

trust model. A structuring convention that governshow certificate authorities certify other certificateauthorities.

tunnel. In VPN technology, an on-demand virtualpoint-to-point connection made through the Internet.While connected, remote users can use the tunnel toexchange secure, encrypted, and encapsulatedinformation with servers on the corporate privatenetwork.

type. See object type.

UUnicode. A 16-bit character set that is defined by ISO10646. The Unicode character encoding standard is aninternational character code for information processing.The Unicode standard encompasses the principalscripts of the world and provides the foundation forthe internationalization and localization of software. Allsource code in the Java programming environment iswritten in Unicode.

Uniform Resource Locator (URL). A scheme foraddressing resources on the Internet. The URL specifiesthe protocol, host name or IP address. It also includesthe port number, path, and resource details needed toaccess a resource from a particular machine.

URL. Uniform Resource Locator.

user authentication. The process of validating that theoriginator of a message is the identifiable andlegitimate owner of the message. It also validates thatyou are communicating with the end user or systemyou expected to.

UTF-8. A transformation format. It enablesinformation processing systems that handle only 8-bitcharacter sets to convert 16-bit Unicode to an 8-bitequivalent and back again without loss of information.

VVirtual Private Network (VPN). A private datanetwork that uses the Internet rather than phone linesto establish remote connections. Because users accesscorporate network resources through an InternetService Provider (ISP) rather than a telephone company,organizations can significantly reduce remote accesscosts. A VPN also enhances the security of dataexchanges. In traditional firewall technology, messagecontent can be encrypted, but the source anddestination addresses are not. In VPN technology, userscan establish a tunnel connection in which the entireinformation packet (content and header) is encryptedand encapsulated.

VPN. Virtual Private Network.

WWeb browser. Client software that runs on a desktopPC and enables the user to browse the World WideWeb or local HTML pages. It is a retrieval tool thatprovides universal access to the large collection ofhypermedia material available in the Web and Internet.Some browsers can display text and graphics, and somecan display only text. Most browsers can handle themajor forms of Internet communication, such as FTPtransactions.


Web server. A server program that responds torequests for information resources from browserprograms. See also server.

WebSphere Application Server. An IBM product thathelps users develop and manage high-performanceWeb sites. It eases the transition from simple Webpublishing to advanced e-business Web applications.The WebSphere Application Server consists of aJava-based servlet engine that is independent of boththe Web server and its underlying operating system.

World Wide Web (WWW). That part of the Internetwhere a network of connections is established betweencomputers that contain hypermedia materials. Thesematerials provide information and can provide links toother materials in the WWW and Internet. WWWresources are accessed through a Web browserprogram.

XX.500. A standard for putting into effect amultipurpose, distributed and replicated directoryservice by interconnecting computer systems. Jointlydefined by the International Telecommunications Union(ITU), formerly known as CCITT, and the InternationalOrganization for Standardization and InternationalElectro-Chemical Commission (ISO/IEC).

X.509 certificate. A widely-accepted certificatestandard designed to support secure management anddistribution of digitally signed certificates across secureInternet networks. The X.509 certificate defines datastructures that accommodate procedures fordistributing public keys that are digitally signed bytrusted third parties.

X.509 Version 3 certificate. The X.509v3 certificate hasextended data structures for storing and retrievingcertificate application information, certificatedistribution information, certificate revocationinformation, policy information, and digital signatures.

X.509v3 processes create time-stamped CRLs for allcertificates. Each time a certificate is used, X.509v3capabilities allow the application to check the validityof the certificate. It also allows the application todetermine whether the certificate is on the CRL.X.509v3 CRLs can be constructed for a specific validityperiod. They can also be based on other circumstancesthat might invalidate a certificate. For example, if anemployee leaves an organization, their certificate wouldbe put on the CRL.

Glossary 59


Index

Aaccess control list 28access to RA Desktop 5accessing the RA Desktop 10action by registrar

adding a comment 18altering attributes 14approving a request 19changing a validity period 17changing renewability 19getting feedback 13keeping a request pending 19permissible for domain 21, 34rejecting a request 19revoking a certificate 20set a request profile 18

action historycolumns in table 35events 36viewing 15

attributes, certificate and requestaltering 14business process variables 17certificate extensions 37changing values 17of request or certificate 36viewing 14

attributes, database record 25authentication 28authorization for registrar 8

Bbrowser 6

preparation 5scenario for preregistration 23supported 23URL 6

browser certificate 6, 10, 26browser support 23business process variables 17

CCA certificate 6, 27CA hierarchy 25calendar 12certificate 26

action history 15, 36categories 26database record 24details of 35distinguished names 26expiring 12for running RA Desktop 6for using enrollment services 6, 27ongoing administration 28pending request for 11presenting 10putting on hold 19removing from CRL 20

certificate 26 (continued)renewability 19, 27renewable 27request for 3requesting for browser 6status 39types 37validity period 17

certificate attributes 14, 36Certificate Authority 25certificate extensions 27, 37certificate life cycle 25, 27certificate revocation list 26certificate type 37certification 25

cross-certification 25hierarchy 25

Challenge Response 6, 8column headings

action history table 15attributes table 14query results table 13

column valuesaction history table 35, 36attributes table 35, 36query results table 33

compromised key 35CRL, removing certificate from 20, 35cross-certification 25

Ddatabase records

attributes 25fields for retrieving 31handling by RA 3limiting retrieval 12predefined query 33querying 11selecting for action 16setting number per page 12

dates, specifying 12DB2 24Details tab 35device certificate 27Directory access 26distinguished name 26domain, registration 24

Ee-mail notification 6enrollment attributes 36enrollment request

action history 36automated evaluation 24checking request status 8database record 25enrollment form 23evaluating 24fields for retrieving 31

enrollment request (continued)handling by RA 3, 16of registrar 6pending 11preregistration 23status 39Web browser support 23

enrollment request life cycle 25enrollment Web page

accessing 6CA certificate for using 6, 27uses 23

exiting the RA Desktop 21expiration of certificate 12, 17

Ffeedback during processing 13field help 40fields, RA Desktop

help for 40on Details tab 35on Query tab 31on Results tab 34

file permissions, registrar 8, 16, 17

Hhelp for RA Desktop 31hold, putting certificate on 19, 35How do I... topics 5

Iinstalling the RA Desktop 9Internet Explorer

default certificate 10release 40

Kkey, compromised 35keyboard, alternatives to a mouse 40

LLDAP protocol 26List tab

records per page 12viewing pages 14

Mmultiple registrars 28

Ooverview

registrar role 3


overview (continued)Trust Authority 1

Ppage size for results

options 33setting 12

permissions 34check for domain 21for action in domain 16, 21getting for domain 8

PKCS #10 request for certificate 27PKIX-compliant application 26preparation to use the RA Desktop 5preregistration 23

scenario for tasks 23processing attributes 36profile, request 18, 28progress bar 40protocol, Directory access 26protocols 26purpose of certificate 37

Qquery

by renewability 32by status 31expiring certificates 12feedback during processing 13fields 31pending requests 11predefined 33preparing 11revising 13servlet to support 28submitting 11

query resultsacting on 16, 17, 19, 20displaying as a list 13, 33displaying in detail 14expiring certificates 12limiting records per page 12paging through 14pending requests 11selecting records in 16setting retrieval limit 12, 33viewing action history 15viewing attributes 14viewing query results 13

Query tab 31

RRA Desktop

accessing 10authorization for 8enrollment to access 6exiting 21installing 9preparing to use 5reconfiguring 10servlet to support 28uninstalling 21

reasons for revocation 35reconfiguring the RA Desktop 10

records, selecting 16records per page, Results tab 12, 33Reference topics 31registrar

actions by 34automated tasks 3, 24certificate to access RA Desktop 6checking enrollment status 8comment regarding action 18enrolling 6history of actions 15, 36impact on registration database 25multiple registrars 28permissions for domain 21, 34role 3servlet to support tasks 28

registration 24actions for 34applying business policy 24automated 3, 24need for 3policies 24tasks, registrar 3Web browser support 23

Registration Authority 24registration database 3, 24registration domain 6, 8, 24, 28registration records 25

attributes 25fields for retrieving 31handling by RA 3limiting retrieval 12predefined query 33querying 11selecting for action 16setting number per page 12

removing the RA Desktop 21renewability 19, 27request attributes 36request ID 6, 8request profile 18, 28Results tab 33retrieval limit

options 33setting 12

revocation, reasons for 35

Ssecure applications 3SecureWay 1server certificate 27servlet to support RA Desktop 28starting the RA Desktop 10status

current 31, 39values 39viewing 14

status area 40

Ttab help 40table

action history 15, 36attributes 14, 36paging through 14

table (continued)query results 13, 33resizing a column 16selecting records in 16sorting rows 16

table records, selecting 16tabs, RA Desktop

common features 40Details tab 14, 35help for 40moving between 15Query tab 11, 31Results tab 13, 33

Tell me about... topics 23type of certificate 37

Uuninstalling the RA Desktop 21URL

enrollment Web page 6registration domain 24

Vvalidity period 17, 28, 37

WWeb browser 6

preparation 5scenario for preregistration 23supported 23URL 6

Web browser support 23Web page, enrollment

accessing 6CA certificate for using 6, 27uses 23

XX.509v3 certificate extensions 27


��

Program Number: 5648-D09

Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.

SH09-4530-01

Documents

Registration Authority Desktop Guidepublib.boulder.ibm.com/tividd/td/IBM_TA/SH09-4530-01/en... · 2002-11-09 · DCE Attributes, Netscape Navigator or Communicator, release 4.7 v