Professional Documents
Culture Documents
EPassport Solutions 3.00 Issue5
EPassport Solutions 3.00 Issue5
3.00
5
Configuring the issuerAltName extension . . . . . . . . . . . . . . . . . . . . . . . . 115
Configuring the CSCA root and link certificates . . . . . . . . . . . . . . . . . . . . 117
Configuring CRL Distribution Points (CDPs) . . . . . . . . . . . . . . . . . . . . . . . 120
Configuring certificate revocation lists for a CSCA . . . . . . . . . . . . . . . . . . 123
Encoding the countryName attribute in uppercase . . . . . . . . . . . . . . . . . . 126
Configuring how the CSCA encodes distinguished names . . . . . . . . . . . . 127
Controlling the issuer and subject in CSCA link certificates . . . . . . . . . . . . 129
Configuring the CA policy settings for a CSCA . . . . . . . . . . . . . . . . . . . . 131
Updating the CA certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
7
Using the Offline Token Creation Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
Overview of using the Offline Token Creation Utility . . . . . . . . . . . . . . . . 236
Preparing to use the Offline Token Creation Utility . . . . . . . . . . . . . . . . . 237
Configuring Offline Token Creation Utility logging . . . . . . . . . . . . . . . . . 244
Generating a signature key pair on a hardware token . . . . . . . . . . . . . . . 248
Recovering an offline Entrust profile on a hardware token . . . . . . . . . . . . 253
Creating the offline Entrust profile at Security Manager . . . . . . . . . . . . . . 258
Writing the Entrust profile to the hardware token . . . . . . . . . . . . . . . . . . 260
9
Configuring the PKD Writer Web Service. . . . . . . . . . . . . . . . . . . . . . . . . . .347
Configuring email notification for PKD Writer . . . . . . . . . . . . . . . . . . . . . 348
Configuring SMTP server settings for the PKD Writer . . . . . . . . . . . 348
Email notification files for the PKD Writer . . . . . . . . . . . . . . . . . . . . 349
Enabling and disabling email notification for PKD Writer . . . . . . . . 350
Modifying email notification subject and message text for PKD Writer .
353
Modifying PKD Writer email notification to use HTML content templates
355
Configuring the PKD Access credential expiry notification intervals . . . . . 356
Configuring the assurance levels for uploading CSCA materials . . . . . . . . 357
Configuring the PKD Download connection settings . . . . . . . . . . . . . . . . 359
Configuring the PKD Upload connection settings . . . . . . . . . . . . . . . . . . 362
Configuring the CSCA materials upload status folder . . . . . . . . . . . . . . . . 365
Configuring the PKD Writer Web Service logs . . . . . . . . . . . . . . . . . . . . . 367
Configuring the PKD Writer secure audit log . . . . . . . . . . . . . . . . . . . . . . 369
Configuring automatic uploads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
11
Manually deploying a National PKD (optional) . . . . . . . . . . . . . . . . . . . . . .449
Installing an LDAP directory as the National PKD . . . . . . . . . . . . . . . . . . . 450
National PKD schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
pkdMasterListContent attribute . . . . . . . . . . . . . . . . . . . . . . . . 451
pkdVersion attribute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
pkdConformanceCode attribute. . . . . . . . . . . . . . . . . . . . . . . . 452
pkdConformanceText attribute . . . . . . . . . . . . . . . . . . . . . . . . 452
pkdPKCS10Content attribute. . . . . . . . . . . . . . . . . . . . . . . . . . 452
pkdDeviationListContent attribute . . . . . . . . . . . . . . . . . . . . . . 452
entrustNPKDCSCAMetaData attribute. . . . . . . . . . . . . . . . . . . 453
entrustNPKDAssuranceLevelPolicy attribute. . . . . . . . . . . . . . . 453
entrustNPKDAssuranceLevelExp attribute . . . . . . . . . . . . . . . . 453
entrustNPKDAssuranceLevel attribute . . . . . . . . . . . . . . . . . . . 453
entrustNPKDSignature attribute. . . . . . . . . . . . . . . . . . . . . . . . 454
entrustNPKDPublish attribute . . . . . . . . . . . . . . . . . . . . . . . . . 454
entrustNPKDCreationDate attribute. . . . . . . . . . . . . . . . . . . . . 454
Object classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
pkdMasterList object class . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
pkdDownload object class . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
pkdPKCS10 object class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
pkdDeviationList object class . . . . . . . . . . . . . . . . . . . . . . . . . . 456
entrustNPKDInfo object class . . . . . . . . . . . . . . . . . . . . . . . . . . 456
entrustNPKDPolicy object class . . . . . . . . . . . . . . . . . . . . . . . . 456
Adding required entries to the National PKD . . . . . . . . . . . . . . . . . . . . . . 457
The dc=data entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
The dc=npkd-trust-data entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Information required to install the NPKD services . . . . . . . . . . . . . . . . . . . 458
13
Creating a role for NPKD administrators . . . . . . . . . . . . . . . . . . . . . . . . . 537
Creating NPKD administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
Testing NPKD Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
15
Managing master lists in the National PKD . . . . . . . . . . . . . . . . . . . . . . . 639
Listing master lists in the National PKD . . . . . . . . . . . . . . . . . . . . . . 639
Viewing detailed information about a master list . . . . . . . . . . . . . . 641
Viewing the assurance level details of a master list . . . . . . . . . . . . . 644
Exporting master lists to files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Removing master lists from the National PKD . . . . . . . . . . . . . . . . 649
Assigning CSCA certificates in a master list as trust anchors . . . . . . 651
Managing trust anchors in the National PKD . . . . . . . . . . . . . . . . . . . . . . 655
Listing trust anchors in the National PKD . . . . . . . . . . . . . . . . . . . . 655
Viewing detailed information about a trust anchor . . . . . . . . . . . . . 657
Viewing the assurance level details of a trust anchor . . . . . . . . . . . 660
Exporting trust anchors to files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663
Removing trust anchors from the National PKD . . . . . . . . . . . . . . . 666
Importing CSCA materials into the National PKD from files . . . . . . . . . . . 668
Importing a single CSCA material from a file . . . . . . . . . . . . . . . . . 668
Importing CSCA materials from an LDIF file . . . . . . . . . . . . . . . . . . 676
Importing multiple Document Signer certificates from files . . . . . . . 681
Importing multiple CSCA certificates from files . . . . . . . . . . . . . . . . 684
Importing multiple CRLs from files . . . . . . . . . . . . . . . . . . . . . . . . . 687
Importing multiple master lists from files . . . . . . . . . . . . . . . . . . . . 690
Managing PKD Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
Viewing the status of PKD Reader . . . . . . . . . . . . . . . . . . . . . . . . . 693
Importing CSCA materials from PKD Reader into the National PKD 696
Editing PKD Reader settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
Downloading CSCA materials from ICAO PKD into PKD Reader . . 702
Configuring the global assurance policy settings . . . . . . . . . . . . . . . . . . . 704
Exporting the global and country-specific assurance policies to files . . . . . 708
Configuring NPKD services settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
17
Configuring Master List Signer authentication to a directory without anonymous
access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 772
Configuring Master List Server authentication to a directory without anonymous
access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 774
Configuring Master List Signer administrators for PKCS #12 enrollment . . 776
Creating an ePassport Auditor certificate type . . . . . . . . . . . . . . . . . . . . . 777
Creating Master List Signer administrators . . . . . . . . . . . . . . . . . . . . . . . . 779
Testing MLS Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 784
19
Translating MLS Administration files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
Troubleshooting localization in MLS Administration . . . . . . . . . . . . . . . . . 887
HTML entities referenced by names . . . . . . . . . . . . . . . . . . . . . . . . 887
Broken JavaScript code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 887
Web browsers cannot display some locale names . . . . . . . . . . . . . . 887
21
Configuring email notification for CVCA Administration . . . . . . . . . . . . . 992
Configuring SMTP server settings for CVCA Administration . . . . . . 992
Changing the email format for CVCA Administration . . . . . . . . . . . 994
Email notification files for CVCA Administration . . . . . . . . . . . . . . . 994
Enabling and disabling email notification for CVCA Administration 998
Modifying email notification subject and message text for CVCA
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1001
Modifying CVCA Administration email notification to use HTML content
templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003
23
Customizing CVCA Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1109
Customizing the CVCA Administration interface . . . . . . . . . . . . . . . . . . 1110
Adding your company logo to CVCA Administration . . . . . . . . . . 1110
Customizing the browser title for CVCA Administration . . . . . . . . 1111
Customizing the application title for CVCA Administration . . . . . . 1112
Customizing the online help for CVCA Administration . . . . . . . . . . . . . . 1114
Location of the CVCA Administration online help files . . . . . . . . . 1114
Editing the content of the CVCA Administration online help files . 1115
Updating the browser title of the CVCA Administration online help ...
1115
Updating the application title of the CVCA Administration online help .
1116
Customizing CVCA Administration styles . . . . . . . . . . . . . . . . . . . . . . . . 1118
Adding a custom notification service . . . . . . . . . . . . . . . . . . . . . . . . . . . 1119
25
Configuring the SPOC services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1213
Configuring SPOC services logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1214
Configuring the XAP connection settings for the SPOC services . . . . . . . 1216
Configuring the SPOC message threads . . . . . . . . . . . . . . . . . . . . . . . . . 1218
Configuring the HTTP header for client certificates . . . . . . . . . . . . . . . . 1220
Restricting SPOC service ports to the applicable service URLs . . . . . . . . 1221
27
Installing and configuring the Web server (optional) . . . . . . . . . . . . . . . 1307
Enabling SSL on your Web server . . . . . . . . . . . . . . . . . . . . . . . . . 1307
Testing the SSL-enabled Web server . . . . . . . . . . . . . . . . . . . . . . . 1308
Microsoft IIS features required for Administration Services . . . . . . 1308
Configuring the VirtualHost directive on Apache HTTP Server . . . 1309
Synchronizing Administration Services and Security Manager time settings ..
1310
Creating DV Administration Server credentials . . . . . . . . . . . . . . . . . . . . 1311
Creating a user entry for a DV Administration Server profile . . . . . 1311
Creating a DV Administration Server profile . . . . . . . . . . . . . . . . . 1313
Updating the DV Administration Server profile keys . . . . . . . . . . . 1314
Creating DV Administration XAP credentials . . . . . . . . . . . . . . . . . . . . . 1315
Creating a user entry for a DV Administration XAP profile . . . . . . 1315
Creating a DV Administration XAP profile . . . . . . . . . . . . . . . . . . 1316
Creating Server Login credentials for a DV Administration XAP profile .
1317
Updating the DV Administration XAP profile keys . . . . . . . . . . . . 1317
Checking the entrust.ini file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1318
Installing DV Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1320
Completing the Microsoft IIS front-end configuration for DV Administration .
1351
Assigning SSL certificates to a DV Administration Web site in Microsoft
IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1351
Installing CA certificates in Microsoft IIS for DV Administration . . 1354
Completing the Apache HTTP Server front-end configuration for DV
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1358
Assigning SSL certificates to a DV Administration VirtualHost in Apache
HTTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1358
Adding CA certificates to Apache HTTP Server for DV Administration .
1361
Configuring DV Administration to connect to the DVCA . . . . . . . . . . . . 1364
Creating or modifying a user policy for DV administrators . . . . . . . . . . . 1368
Creating roles for DV administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . 1371
Creating DV administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1373
Testing DV Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1377
29
Configuring list operations in DV Administration . . . . . . . . . . . . . . . . . . 1451
Configuring the date format for DV Administration . . . . . . . . . . . . . . . . 1454
Configuring email notification for DV Administration . . . . . . . . . . . . . . . 1455
Configuring SMTP server settings for DV Administration . . . . . . . 1455
Changing the email format for DV Administration . . . . . . . . . . . . 1457
Email notification files for DV Administration . . . . . . . . . . . . . . . . 1457
Enabling and disabling email notification for DV Administration . . 1461
Enabling email notification for the initial Document Verifier certificate
request for a foreign CVCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1464
Modifying email notification subject and message text for DV
Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1468
Modifying DV Administration email notification to use HTML content
templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1470
Configuring a jurisdiction policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1471
31
Viewing the domestic CVCA holder identity . . . . . . . . . . . . . . . . . . . . . 1528
Configuring the CVCA policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1529
Managing Country Verifying Certification Authorities . . . . . . . . . . . . . . 1530
Adding Country Verifying Certification Authorities . . . . . . . . . . . . 1530
Viewing Country Verifying Certification Authorities . . . . . . . . . . . 1534
Finding Country Verifying Certification Authorities . . . . . . . . . . . . 1536
Modifying Country Verifying Certification Authorities . . . . . . . . . 1537
Disabling or suspending Country Verifying Certification Authorities ...
1541
Enabling or activating Country Verifying Certification Authorities . 1542
Deleting Country Verifying Certification Authorities . . . . . . . . . . . 1545
Managing CVCA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1546
Importing CVCA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1546
Viewing CVCA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1550
Exporting CVCA certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1553
Configuring the Document Verifier policy . . . . . . . . . . . . . . . . . . . . . . . 1559
Managing Document Verifier certificate requests . . . . . . . . . . . . . . . . . . 1565
Creating DV certificate requests . . . . . . . . . . . . . . . . . . . . . . . . . . 1565
Viewing DV certificate requests . . . . . . . . . . . . . . . . . . . . . . . . . . 1571
Canceling DV certificate requests . . . . . . . . . . . . . . . . . . . . . . . . . 1573
Exporting DV certificate requests . . . . . . . . . . . . . . . . . . . . . . . . . 1575
Managing Document Verifier certificates . . . . . . . . . . . . . . . . . . . . . . . . 1578
Importing DV certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1578
Viewing DV certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1581
Exporting DV certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1585
Viewing the current Document Verifier signing keys . . . . . . . . . . . . . . . 1589
Configuring Inspection System policy . . . . . . . . . . . . . . . . . . . . . . . . . . 1590
Managing Inspection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1594
Adding Inspection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1594
Viewing Inspection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1598
Finding Inspection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1601
Modifying Inspection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 1602
Disabling or suspending Inspection Systems . . . . . . . . . . . . . . . . . 1607
Enabling or activating Inspection Systems . . . . . . . . . . . . . . . . . . . 1609
Deleting Inspection Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1611
33
Troubleshooting localization in DV Administration . . . . . . . . . . . . . . . . . 1652
Translating email notification templates . . . . . . . . . . . . . . . . . . . . 1652
Translating JSP pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1652
HTML entities referenced by names . . . . . . . . . . . . . . . . . . . . . . . 1653
Broken JavaScript code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1653
Web browsers cannot display some locale names . . . . . . . . . . . . . 1653
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1701
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1707
35
36 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0
About
37
Revision information
Table 1: Revisions in this document
Convention Description
Bold text Indicates graphical user interface elements and wizards. For example:
(other than Click Next.
headings)
Italicized text Used for book or document titles. For example:
Entrust IdentityGuard Administration Guide
Blue text Used for hyperlinks to other sections in the document. For example:
For more information, see “About this guide” on page 37.
Underlined blue Used for Web links. For example:
text
For more information, visit our Web site at
https://www.entrustdatacard.com.
Courier type Indicates installation paths, file names, Windows registry keys, commands,
and text you must enter. For example:
Use the entrust-configuration.xml file to change certain options for
Verification Server.
Angle brackets Indicates variables (text you must replace with your organization’s correct
values). For example:
<>
By default, the entrust.ini file is in the following location:
<install_path>/conf/security/entrust.ini
Square brackets Indicates optional parameters. For example:
[courier type] dsa passwd [-ldap]
Curly braces Used to group parts of a command together. For example:
{} officer client-setting {query <name> | all} | {set <name>
<value>}
Vertical bar Indicates either/or parameters. For example:
| dsa restore all | ca
Convention Description
<DSS-install> Indicates the installation directory of Entrust Authority Document Signer
Service.
By default on Windows:
C:/Program Files/Entrust/DocumentSignerService
By default on Linux:
/opt/entrust/DocumentSignerService
<AS-install> Indicates the installation directory of Entrust Authority Administration
Services.
By default on Windows:
C:/Program Files/Entrust/AdminServices
By default on Linux:
/opt/entrust/adminservices
Note:
Information to help you maximize the benefits of your Entrust product.
Attention:
Issues that, if ignored, may seriously affect performance, security, or the
operation of your Entrust product.
Documentation feedback
You can rate and provide feedback about Entrust Datacard product documentation
by completing the online feedback form. Any information that you provide goes
directly to the documentation team and is used to improve and correct the
information in our guides. You can access this form by:
• clicking the Report any errors or omissions link located in the footer of
Entrust Datacard’s PDF documents (see bottom of this page).
• following this link: http://go.entrust.com/documentation-feedback
Feedback concerning documentation can also be directed to the Customer Support
email address.
support@entrustdatacard.com
Technical support
Entrust Datacard offers a variety of technical support programs to help you keep
Entrust products up and running. To learn more about the full range of Entrust
Datacard technical support services, visit our Web site at:
https://www.entrustdatacard.com/
If you are registered for our support programs, you can use our Web-based support
services.
Entrust Datacard TrustedCare offers technical resources including Entrust product
documentation, white papers and technical notes, and a comprehensive Knowledge
Base at:
https://trustedcare.entrustdatacard.com
If you contact Customer Support, please provide as much of the following
information as possible:
• your contact information
• product name, version, and operating system information
• your deployment scenario
• description of the problem
• copy of log files containing error messages
• description of conditions under which the error occurred
• description of troubleshooting activities you have already performed
Email address
The email address for Customer Support is:
support@entrustdatacard.com
Professional Services
The Entrust Datacard team assists organizations around the world to deploy and
maintain secure transactions and communications with their partners, customers,
suppliers and employees. Entrust Datacard offers a full range of professional services
to deploy our solutions successfully for wired and wireless networks, including
Training
Through a variety of hands-on courses, Entrust Datacard delivers effective training for
deploying, operating, administering, extending, customizing and supporting any
variety of Entrust Datacard digital identity and information security solutions.
Delivered by training professionals, Entrust Datacard’s professional training services
help to equip you with the knowledge you need to speed the deployment of your
security platforms and solutions. Please visit our training Web site at:
https://www.entrustdatacard.com/resource-center/training
This section provides an overview of the Entrust solution of ePassport products, and
overviews of the Country Signing infrastructure and Country Verifying infrastructure.
This section includes the following chapters:
• “Basic Access Control overview” on page 49
• “How the Document Signer Service works” on page 59
• “Extended Access Control overview” on page 73
47
48 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0
Report any errors or omissions
1
49
BAC architecture
Each country has a single Country Signing Certification Authority (CSCA). The CSCA
acts as a root of trust for e-passports issued within its own country. The CSCA issues
certificates to one or more Document Signers. The Document Signers use the
corresponding private keys to sign the Document Security Object on electronic
passports. The CSCA also issues certificates for signing master lists of trusted CSCAs.
Countries may use these master lists to trust the CSCAs from other countries.
Figure 1 illustrates the BAC architecture showing one country.
Document Signer
Each country has one or more Document Signers. Document Signers are issued
certificates from a Country Signing Certification Authority (CSCA). Document Signers
use the corresponding private keys to sign the Document Security Object on
electronic passports.
Document Signer certificates are renewed based on the number of signings, or after
a certain period of time, or possibly a combination of both variables
National PKD
The National PKD stores data taken from the ICAO PKD—master lists, Document
Signer certificates, and CRLs—along with validation test results and metadata. The
data can be imported from the PKD Reader or imported from files.
When deploying the NPKD services provided by Administration Services, you have
the option to deploy a National PKD directory included with Administration Services,
or you can use your own directory.
Note:
Verification Server includes other services that are not used by the CSCA solution.
Note:
The international MRTD effort is being coordinated through the International
Civil Aviation Organization (ICAO), which is responsible for issuing governing
specifications for interoperability between implementing nations. The principal
document produced by ICAO to govern PKI specifications is the Technical Report
on PKI for Machine Readable Travel Documents offering ICC read-only access v
0.4.1.0.
This chapter describes the various components of the Document Signer Service and
how they work. This chapter contains the following topics:
• “About Verification Server” on page 61
59
• “About the Profile Creation Utility” on page 63
• “About the Offline Token Creation Utility” on page 64
• “About the Signature Delivery Service” on page 69
Note:
Verification Server consists of three services, though you use only the Digital
Signature Service in an e-passport environment. The timestamping and XKMS
services are not used.
The Digital Signature Service is based on the SOAP Remote Procedure Call (RPC)
model.
Note:
If you do not have network connectivity to Security Manager, you must use the
Offline Token Creation Utility to create digital IDs. See “About the Offline Token
Creation Utility” on page 64 for more information.
Note:
If you have online access to Security Manager, do not use the Offline Token
Creation Utility to create an Entrust profile. Instead, use the Profile Creation
Utility. The Profile Creation Utility is used to create an Entrust profile when
Security Manager has network connectivity. See “About the Profile Creation
Utility” on page 63.
Note:
As an alternative to the process shown above, the Offline Token Creation Utility
Server may be installed directly on Security Manager. Testing is always
encouraged when altering the configuration of a Security Manager that is in
production.
Operational flow
This flow sequence begins and ends at your MRTD issuance system client software.
For help connecting your client application to the Signature Delivery Service, see
“Using the Signature Delivery Service from your application” on page 211.
1 Client request.
The MRTD issuance system client passes the XML formatted MRTD data to be
digitally signed using the HTTP or HTTPS POST method.
2 Request verification.
Once Signature Delivery Service receives the request from the client, it parses the
request and verifies the tags and formats. The Signature Delivery Service servlet
then reads the initialization file to determine what verification steps to perform.
If a tag or attribute does not comply with what is expected, Signature Delivery
Service may reject the request or record a warning.
Note:
The SOLDS is an ASN.1 object that is encoded using the Distinguished Encoding
Rules as specified in ISO/IEC 8825-1:2002 Information technology ASN.1
encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding
Rules (CER) and Distinguished Encoding Rules (DER).
Signature Delivery Service uses SHA-256 for hashing. Although this algorithm
and standard implementations of it are relatively new, the increased strength is
necessary due to the long validity of the MRTD.
5 Construct the SOLDS.
Signature Delivery Service takes the hashed data groups and wraps them into the
SOLDS. This is the ASN.1 object described in the Note to Step 4.
6 Transmit to Verification Server.
The Signature Delivery Service server passes the entire SOLDS to Verification
Server using a SOAP interface. SOAP is a secure, standard protocol built on XML.
7 Hash the SOLDS in preparation for signing.
Verification Server uses SHA-256 to hash the entire SOLDS.
8 Sign the SOLDS on the hardware security module (HSM).
Verification Server sends the hashed SOLDS to the HSM where it is digitally signed
using the RSA algorithm with a 2048-bit key size. The National Institute of
Standards and Technology (NIST) has recommended the use of 2048-bit keys for
securing data beyond the year 2007. Since the majority of passports are valid for
multiple years, this strength of cryptography is required.
9 Create the Document Security Object.
73
EAC architecture
Each country has a single Country Verifying Certification Authority (CVCA). The
CVCA acts as a root of trust for e-passports issued within its own country. The CVCA
authorizes domestic and foreign Document Verifiers (DVs) to access the biometrics
stored in the e-passports. Each country has one Single Point of Contact (SPOC). All
international EAC certificate requests and responses are communicated directly
between SPOCs. Each DV authorizes Inspection Systems (ISs) to examine the
contents of e-passports.
Figure 4 illustrates a sample EAC architecture with two countries.
Document Verifiers
Each country has one or more Document Verifiers (DVs). Each DV issues Inspection
System certificates in response to certificate requests from domestic Inspection
Systems. These certificates authenticate the Inspection System to e-passport chips,
and also specify which biometrics the Inspection System can access.
Each Document Verifier must request and obtain Document Verifier certificates from
the CVCA of each country whose MRTDs the Document Verifier is authorized to
access.
Inspection Systems
National passport inspection authorities (such as border services, port authorities,
customs, and police personnel) operate Inspection Systems that are capable of
validating e-passports and accessing their biometric data. An Inspection System
consists of:
• a radio frequency identification (RFID) reader capable of interacting with the
integrated circuit chip on an e-passport
• a control system to which the RFID reader is connected
• software that can manage Inspection System certificates and certificate
requests
An Inspection System may be located outside of a country’s territorial boundaries. For
example, a country may operate an Inspection System at a foreign airport to pre-clear
passengers before boarding. A Document Verifier does not have to be co-located
with an Inspection System.
Note:
If you use the DVCKM and are storing DV keys on a hardware security module
(HSM), ensure that you back up your HSM whenever the DV creates a new
certificate request. Security Manager will log audit 27974 when a new DV
certificate request is created (see “Extended Access Control audit logs” on
page 1677).
For more information about the services provided by Administration Services, see the
Administration Services Installation Guide.
Certificate lifetimes
CV certificates tend to have short lifetimes. By default in Security Manager:
• a CVCA certificate expires after three years
• a Document Verifier (DV) certificate expires after three months
• an Inspection System certificate expires after one month
A CVCA administrator determines the initial lifetime of the CVCA certificates when
initializing the CVCA, and can change subsequent CVCA certificate lifetimes by
configuring the CVCA key update settings. A CVCA determines the lifetime of DV
certificates. A DV determines the lifetime of Inspection System certificates.
In Security Manager, DV certificates cannot exceed the lifetime of the issuing CVCA
certificate. Likewise, Inspection System certificates cannot exceed the lifetime of the
issuing DV certificates. For example, if you configure DV certificates to expire after
three months, but issue a DV certificate signed by a CVCA certificate that expires in
three days, the DV certificate will expire in three days.
CV certificates can have a lifetime between one day and 25 years. The dates in a CV
certificate (the effective date and the expiration date) do not contain a time value. In
Security Manager, the expiration date cannot be the same as the effective date. CV
Certificates will expire at the end of the day on the expiration date.
It is important when planning your e-passport environment that you carefully
consider the certificate lifecycle and manage your certificates accordingly.
Certificate status
In Security Manager, CV certificates have a certificate status associated with them.
The certificate status determines the state of the certificate. A certificate can have one
of the following states:
• Not yet valid
Certificate streams
A CVCA issues DV certificates to Document Verifiers. In turn, Document Verifiers
issue Inspection System certificates anchored by the CVCA. A certificate stream is the
set of all certificates issued to an EAC entity that are anchored by a particular CVCA.
Consider the scenario illustrated in Figure 6 on page 86. In this scenario, GBcvca and
CAcvca each issue DV certificates to GBdv. GBdv then issues Inspection System
Validation strings
When you view or export any self-signed certificate or certificate request (such as a
root CVCA certificate or unauthenticated DV certificate request), Security Manager
displays validation strings for the certificate or certificate request. A validation string
is a string of alphanumeric characters representing the hash of the certificate or
certificate request. Validation strings allow administrators to verify the authenticity of
a certificate or certificate request.
For example, when a Document Verifier (DV) administrator creates and exports an
unauthenticated DV certificate request, Security Manager generates and displays
validation strings. The DV administrator then sends the certificate request and
At the CVCA
1 If the CVCA does not recognize the DV, the CVCA administrator adds the DV
holder identity to the CVCA.
2 The CVCA administrator exports the required CVCA certificates and sends them
to the DV administrator.
DVs require the initial CVCA root certificate and all subsequent link CVCA
certificates.
At the CVCA
6 The CVCA administrator accepts the certificate request.
7 The CVCA processes the certificate request and generates a DV certificate.
8 The CVCA administrator exports the DV certificate and sends it to the DV.
93
94 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0
Report any errors or omissions
4
95
Calculating the validity periods for CSCA
certificates
For a Country Signing Certification Authority (CSCA), you must determine the
validity periods—the key lifetime and private key usage period—for the following key
pairs to meet ICAO requirements:
• Country Signing CA key pair
• Document Signer key pair
• Master List Signer key pair
After upgrading Security Manager, you may want to update the validity periods for
these key pairs.
This section contains the following topics:
• “Formulas for calculating the validity periods” on page 96
• “Recommended validity periods for 10-year eMRTDs” on page 97
The above points tie into the lifetime of the CSCA and Document Signer certificates.
You can itemize the lifetime variables as the following:
• emrtd_life is the lifetime of issued eMRTDs.
• emrtd_pre_issue_time is the eMRTD pre-issue time.
eMRTDs may be issued before they become valid. This is optional.
Some States may issue eMRTDs before they become valid, for instance on a
change of name upon marriage. The effect of doing this is to extend the
validity period by the longest period it is possible to pre-issue the eMRTD.
• ds_validity is the validity period (key lifetime) of the Document Signer end
entity certificate.
• ds_pku is the private key usage period of the Document Signer end entity
certificate.
• csca_validity is the validity period (key lifetime) of the CSCA root
certificate.
Table 3: Recommended key usage and validity for CSCA key pairs
Key pair Recommended key lifetime Recommended private key usage period
Recommended validity periods for the Master List Signer key pair
A Master List Signer is expected to sign master lists of trusted CSCAs far less
frequently than a Document Signer will sign passports.
Therefore, the following values are recommended for the Master List Signer key pair:
• Key lifetime: 60 months
• Private key usage period: 20% (12 months)
Note:
Microsoft Active Directory is not supported for a Country Signing Certification
Authority (CSCA).
Attention:
Not all Security Manager client applications support all the algorithms that you
can select when configuring Security Manager. When configuring Security
Manager, ensure that you select algorithms supported by all the client
applications that you plan to use.
Note:
Currently most Security Manager client applications do not support https: CDPs
and will ignore them and use the combined CRL stored in the Security Manager
directory. If the combined CRL is not enabled, you must define at least one http:
or ldap: URL so that Security Manager client applications can access the CRL. All
https: URLs must be defined last in the list of CDP URLs.
Attention:
Not all Security Manager client applications support all the algorithms that you
can select when configuring Security Manager. When configuring Security
Manager, ensure that you select algorithms supported by all the client
applications that you plan to use.
Note:
Currently most Security Manager client applications do not support https: CDPs
and will ignore them and use the combined CRL stored in the Security Manager
directory. If the combined CRL is not enabled, you must define at least one http:
or ldap: URL so that Security Manager client applications can access the CRL. All
https: URLs must be defined last in the list of CDP URLs.
After entering a CDP URL, the configuration script will prompt you again to
enter a CDP URL.
b Enter as many CDP URLs for CSCA-type certificates as required.
c If you need to start over, enter s.
d To quit without providing any CDP URLs for CSCA-type certificates, enter q.
You must manually provide CDP URLs for CSCA-type certificates under
[CSCA CDP] in the entmgr.ini file before initializing Security Manager (see
the Security Manager Installation Guide).
e To review the list of CDP URLs you entered for CSCA-type certificates, enter
r.
The configuration script displays the CDP settings, and asks if you are
finished entering CSCA CDP URLs:
The following CDP URLs have been entered:
http://domain.example.com/CRL/crlfile<number>.crl
Include LDAP DN in CDP: no
Place LDAP DN last in CDP: n/a
Finished entering CSCA CDP URLs (y/n) ? [n]
– If you need to enter more CDP URLs for CSCA-type certificates, enter n.
– If you are finished entering CDP URLs for CSCA-type certificates, enter y.
The CDP URLs for CSCA-type certificates are written to the entmgr.ini file
under the [CSCA CDP] section.
9 When prompted to configure the CA certificate lifetime:
Enter the CA certificate lifetime in months (2-300)
[187] >
Enter a lifetime, in months, for the initial CA verification certificate.
Attention:
Security Manager will not automatically update your root CA key.
Reconfiguring a CA as a CSCA
If you already installed Security Manager and you want to reconfigure your
Certification Authority (CA) as a CSCA, or if you want to ensure that you correctly
installed a CSCA, complete the steps outlined in this appendix.
This appendix includes the following sections:
• “Calculating the validity periods for CSCA certificates” on page 112
• “Configuring the issuerAltName extension” on page 115
• “Configuring the CSCA root and link certificates” on page 117
• “Configuring CRL Distribution Points (CDPs)” on page 120
• “Configuring certificate revocation lists for a CSCA” on page 123
• “Encoding the countryName attribute in uppercase” on page 126
• “Configuring how the CSCA encodes distinguished names” on page 127
• “Controlling the issuer and subject in CSCA link certificates” on page 129
• “Configuring the CA policy settings for a CSCA” on page 131
• “Updating the CA certificate” on page 133
111
Calculating the validity periods for CSCA
certificates
For a Country Signing Certification Authority (CSCA), you must determine the
validity periods—the key lifetime and private key usage period—for the following key
pairs to meet ICAO requirements:
• Country Signing CA key pair
• Document Signer key pair
• Master List Signer key pair
After upgrading Security Manager, you may want to update the validity periods for
these key pairs.
This section contains the following topics:
• “Formulas for calculating the validity periods” on page 112
• “Recommended validity periods for 10-year eMRTDs” on page 113
The above points tie into the lifetime of the CSCA and Document Signer certificates.
You can itemize the lifetime variables as the following:
• emrtd_life is the lifetime of issued eMRTDs.
• emrtd_pre_issue_time is the eMRTD pre-issue time.
eMRTDs may be issued before they become valid. This is optional.
Some States may issue eMRTDs before they become valid, for instance on a
change of name upon marriage. The effect of doing this is to extend the
validity period by the longest period it is possible to pre-issue the eMRTD.
• ds_validity is the validity period (key lifetime) of the Document Signer end
entity certificate.
• ds_pku is the private key usage period of the Document Signer end entity
certificate.
• csca_validity is the validity period (key lifetime) of the CSCA root
certificate.
Table 4: Recommended key usage and validity for CSCA key pairs
Key pair Recommended key lifetime Recommended private key usage period
Recommended validity periods for the Master List Signer key pair
A Master List Signer is expected to sign master lists of trusted CSCAs far less
frequently than a Document Signer will sign passports.
Therefore, the following values are recommended for the Master List Signer key pair:
• Key lifetime: 60 months
• Private key usage period: 20% (12 months)
Note:
If your CA root and link certificates already include the keyUsage and
basicConstraints extensions, ensure that they conform to ICAO requirements
as shown in this procedure. If your CA root and link certificates also include other
extensions, ensure that all extensions conform to ICAO requirements.
Note:
Security Manager can only write to a network location if the account used by the
Security Manager services has direct write privileges to that location.
Note:
It is strongly recommended that you define CDP definition data for the individual
CSCA and ePassport certificate types, rather than define the CDP definition
globally for all certificate types.
Note:
Currently most Security Manager client applications do not support https: CDPs
and will ignore them and use the combined CRL stored in the Security Manager
directory. If the combined CRL is not enabled, you must define at least one http:
or ldap: URL so that Security Manager client applications can access the CRL. All
https: URLs must be defined last in the list of CDP URLs.
A CSCA may publish the combined CRL to its own locations and the PKD.
For example:
1=http://<server>/CRL/CAN.crl
2=https://pkddownload1.icao.int/CRLs/CAN.crl ;PKD location
See the Security Manager Administration User Guide for more information
about configuring CDPs.
7 Save and close the file.
8 If you made changes to the file, import the file back into Security Manager by
entering the following command:
fcs import <file>
Where <file> is the full path and file name for the certificate specifications file.
fcs import c:/master.certspec
9 Proceed to “Configuring certificate revocation lists for a CSCA” on page 123.
Note:
It is not mandatory to change the Security Manager directory to have
countryName uppercase, but it is recommended that this is done for clarity so
that the contents in the directory are the same as the DNs in certificates.
Note:
If the advanced setting DNEncoding currently has printable set first in the list
and you want to change it to utf8, contact Entrust Customer Support.
See the Security Manager Operations Guide for more information about the
DNEncoding advanced setting.
ICAO recommends that a CSCA with RSA keys use RSA-3072 or stronger. ICAO
recommends that a CSCA with an elliptic curve use a 256-bit elliptic curve or
stronger. The curves EC-P-256, EC-ansix9p256k1, EC-ansix9p256r1,
EC-brainpoolP256r1, and EC-brainpoolP256t1 are 256-bit elliptic curves
The CSCA signing algorithm should be as strong as the key type or stronger. For
example, an RSA-3072 key type should use an RSAPSS-SHA256 or stronger
signing algorithm, and a 256-bit elliptic curve should use an ECDSA-SHA256 or
stronger signing algorithm.
3 If your CA key type and signing algorithm do not meet ICAO requirements, you
must change the key type and signing algorithm for the next CA certificate.
To change the key type and signing algorithm for the next CA certificate, enter:
ca key config -keyType <type> -signatureAlg <alg>
Where <type> is the key type and <alg> is the signing algorithm for the next CA
certificate.
For example:
ca key config -keyType RSA-3072 -signatureAlg RSAPSS-SHA256
or
ca key config -keyType EC-P-256 -signatureAlg ECDSA-SHA256
4 Proceed to “To view and configure the CA lifetime and private key usage” on
page 131.
Note:
Security Manager will not automatically update your root CA key.
Attention:
Do not revoke the previous CA certificate if you issued any passports that were
signed with the previous CA certificate. After revoking the previous CA
certificate, any passports signed with the previous CA key will no longer validate.
If you have no hardware devices installed, no hardware devices will appear in the
list of options.
3 Enter the number associated with the action you want to select. For instance,
from the previous example, enter 1 to update a software-generated key, or 4 to
cancel the update operation.
If you update a hardware-generated key, you may be prompted for the device
password. If you update a software-generated key, no password is required.
4 If the services are running, the following prompt appears:
The services will be stopped and the CA key updated.
Do you wish to continue (y/n) ? [y]
Serial Numbers:
[1] 4C694332 (1281966898)
[2] 4C69436B (1281966955)
[3] 4C69436C (1281966956)
[4] 4C69436D (1281966957)
137
Customizing Document Signer certificates
Security Manager includes a certificate type named ePassport - Document Signer.
This certificate type is for signing the Document Security Object on electronic
passports. Your Country Signing Certification Authority (CSCA) issues these
certificate types to a Document Signer.
The default ePassport - Document Signer certificate type contains the object
identifiers (OIDs) and extensions required by the International Civil Aviation
Organization (ICAO). When customizing the Document Signer certificates, ensure
you follow the requirements outlined by the ICAO.
This section describes how to customize the Document Signer certificates issued by
your CSCA.
This section contains the following topics:
• “Configuring the CDP definitions for Document Signer certificates” on
page 138
• “Modifying the Document Signer user policy” on page 141
Note:
Security Manager can only write to a network location if the account used by the
Security Manager services has direct write privileges to that location.
Note:
It is strongly recommended that you define CDP definition data for the individual
CSCA and ePassport certificate types, rather than define the CDP definition
globally for all certificate types.
Note:
Currently most Security Manager client applications do not support https: CDPs
and will ignore it and use the combined CRL stored in the Security Manager
directory. If the combined CRL is not enabled, you must define at least one http:
or ldap: URL so that Security Manager client applications can access the CRL.
A CSCA may publish the combined CRL to its own locations and the PKD. For
example:
1=http://<server>/CRL/CAN.crl
Note:
Security Manager can only write to a network location if the account used by the
Security Manager services has direct write privileges to that location.
Note:
It is strongly recommended that you define CDP definition data for the individual
CSCA and ePassport certificate types, rather than define the CDP definition
globally for all certificate types.
Note:
Currently most Security Manager client applications do not support https: CDPs
and will ignore it and use the combined CRL stored in the Security Manager
directory. If the combined CRL is not enabled, you must define at least one http:
or ldap: URL so that Security Manager client applications can access the CRL.
To create a user entry for the Master List Signer profile using Security Manager
Administration
1 Ensure you have performed the steps detailed in “Customizing Master List Signer
certificates” on page 143.
2 Log in to Security Manager Administration.
3 Select Users > New User.
The New User dialog box appears.
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.
Note:
There can be only one Master List Signer instance.
Keys are updated only on Administration Services start up. You may have to schedule
server restarts periodically with a frequency that corresponds to the configured
certificate lifetime.
Note:
Security Manager will not automatically update your root CA key. Ensure that
you update the CA key when 33% of the CA verification certificate lifetime has
passed.
The International Civil Aviation Organization (ICAO) requires that countries give 90
days notice before they change their certificate. When Security Manager begins
logging audit -7953, inform the other countries that your CSCA will be updated in 90
days. After 90 days, update your CSCA keys.
Note:
Do not change the CSCA DN unnecessarily as it can adversely impact relying
parties. For example, other countries must retain both the old and new names as
valid CSCAs for your country until all e-passports signed under the old name have
expired.
Changing the CSCA DN requires that you also perform a CSCA key update to
generate a new CSCA root certificate.
This section includes the following topics:
• “Performing a CSCA key update and changing the CSCA DN in Security
Manager” on page 155
• “Known issues and limitations of a CSCA DN change” on page 160
This section provides instructions for installing and configuring the Document Signer
Service solution of products.
This section includes the following chapters:
• “Deploying the Document Signer Service” on page 163
• “Using the Signature Delivery Service from your application” on page 211
• “Using the Offline Token Creation Utility” on page 235
• “Using Verification Server” on page 263
• “Verification Server entrust-configuration.xml file” on page 287
161
162 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0
Report any errors or omissions
7
163
Deployment overview
Deploying the Document Signer Service includes the following steps. Each step is
described in further detail in this chapter.
1 Install the Document Signer Service. For instructions, see “Installing the
Document Signer Service” on page 165.
2 Configure Verification Server (see “Configuring Verification Server” on
page 186).
Verification Server is a component of the Document Signer Service. Verification
Server includes the Digital Signature service. The Digital Signature service accepts
incoming XML documents from Web service clients such as Signature Delivery
Service, signs them using its signing private key, and sends a CMS signed data
object back to the requester.
Configuring Verification Server includes:
• enabling the Digital Signature service
• creating an Entrust profile for the Digital Signature service
• configuring the Digital Signature service for an ePassport system
3 (Optional.) Configure a front-end Web server for the Signature Delivery Service
For instructions, see “Configuring a front-end Web server for the Signature
Delivery Service” on page 195.
Using a front-end Web server provides more security as Signature Delivery
Service clients communicate with the Web server instead of Apache Tomcat
directly. The Web server can act as a proxy for the Apache Tomcat server, which
can be behind a firewall. Apache Tomcat is the application server used by the
Document Signer Service. Apache Tomcat is included in the Document Signer
Service installation.
4 Secure access to the Digital Signature service. For instructions, see “Securing
access to Verification Server” on page 197. The Digital Signature service is a
feature of Verification Server.
5 Configure SSL in the Document Signer Service. For instructions, see “Configuring
SSL in the Document Signer Service” on page 199).
6 Restart the Document Signer Service. For instructions, see “Restarting the
Document Signer Service” on page 206.
Click Next.
a In the CA Host field, enter the IP address or DNS name of the server hosting
Security Manager. For example:
domain.example.com
b In the CA CMP Port field, enter the CMP port of Security Manager (default
829).
c In the Directory Host field, enter the IP address or DNS name of the server
hosting the Security Manager directory. For example:
ldap.example.com
d In the Directory LDAP Port field, field, enter the LDAP port of the Security
Manager directory (default 389).
e Click Next to continue.
You can configure demonstration mode with the installer. For demonstration
mode, the installer will modify some configuration files to allow you to start
Verification Server using sample Entrust profiles (EPF files).
Attention:
Do not use the sample profiles in a production system. Many people know the
password and therefore have access to the private keys for the profiles.
a In the VS Host field, enter the IP address or DNS name of the server hosting
Verification Server. For example:
domain.example.com
If you are installing the Signature Delivery Service on the same server as
Verification Server, you can keep the default value localhost.
b In the VS Port field, enter the Verification Server port (default 8080).
By default, Verification Server uses port 8080. If Verification Server uses a
front-end Web server to forward requests, enter the port used by the Web
server.
c Click Next to continue.
a In the CA Host field, enter the IP address or DNS name of the server hosting
Security Manager. For example:
domain.example.com
If you are installing the Offline Token Creation Utility server component on
the same server as Security Manager, you can keep the default value
localhost.
b In the CA CMP Port field, enter the CMP port of Security Manager (default
829).
c Click Next to continue.
Note:
You can quit the installation at any time by pressing Ctrl+C.
Attention:
Do not use the sample profiles in a production system. Many people know the
password and therefore have access to the private keys for the profiles.
• To configure production mode, enter 1. You must create your own Entrust
profiles to use Verification Server.
• To configure demonstration mode, enter 2.
13 If you are installing the Signature Delivery Service, the installer prompts you for
information required for the Signature Delivery Service to connect to Verification
Server:
Get User Input: Signature Delivery Service
------------------------------------------
Enter the requested information for Verification Server:
a The installer prompts you to provide the CA host:
VS Host (Default: localhost):
Enter the IP address or DNS name of the server hosting Verification Server.
For example:
Note:
If you specify more than one address and port number in the Server= setting,
each address must point to redundant instances of the same directory server.
Each address must reference the primary directory server or mirror instances of
the primary directory server.
If the first address does not respond within the time specified by the
DirectoryOperationTimeLimit setting, Verification Server tries to connect
using the second address, and so on.
Once Verification Server has connected to an LDAP-compliant directory, it
does not try to connect to any other directory in the list for the duration of
the session.
If Verification Server is configured offline from Security Manager and the
LDAP directory, leave this setting blank.
• DefaultProfileLocation=
This setting specifies the default profile location. This setting is used by the
Profile Creation Utility.
By default:
DefaultProfileLocation=C:/Program Files/Entrust/DocumentSignerS
ervice/VerificationServer<version>/conf/security
or
Note:
If you are storing the Entrust profile on a hardware security module (HSM),
ensure you have installed and configured your HSM according to the instructions
provided by your HSM vendor. You must initialize the HSM before creating an
Entrust profile on it. You may also want to test the HSM installation to ensure the
hardware is operational. HSM vendors typically provide a utility you can use to
test the HSM. See your token vendor’s documentation for more information.
To install and configure Apache HTTP Server as a front-end for the Signature
Delivery Service
1 From the Apache HTTP Server Project Web site (http://httpd.apache.org),
download and install a supported version of Apache HTTP Server, including
OpenSSL.
For supported Linux operating systems, Linux may include a native Apache HTTP
Server and OpenSSL that you can install.
2 Download the latest binary release of the mod_jk.so module (Tomcat connector)
for your operating system supplied by the Apache Software Foundation
(http://tomcat.apache.org/download-connectors.cgi). For Windows operating
systems, the binary release is packaged in a ZIP file.
The Document Signer Service is a 64-bit application. Ensure you download the
64-bit (x84_64) version of the Tomcat connector.
3 Extract the mod_jk.so file from the ZIP package.
4 Copy mod_jk.so into the Apache HTTP Server /modules directory. For example:
C:/Apache24/modules
or
/usr/lib64/httpd/modules
5 Create a new file called workers.properties in the Apache HTTP Server /conf
directory. For example:
C:/Apache24/conf
or
Note:
This approach is vulnerable to passive eavesdropping security attacks.
To start or stop the Document Signer Service on Windows using the Services
administrative tool
1 Open the Services administrative tool:
• On Windows Server 2016, select Start > Windows Administrative Tools >
Services.
• On Microsoft Windows Server 2012 R2, click Start, then click the down
arrow to access Apps, then click Services.
Note:
Do not click Restart or Apache Tomcat may fail to start properly. Always stop and
then start Apache Tomcat.
211
Configuring the Signature Delivery Service
The Signature Delivery Service is a Web application hosted on an application server
that acts as a J2EE servlet container.
When deployed, the Signature Delivery Service looks for the SDS.ini file. The
SDS.ini file determines how the Signature Delivery Service processes incoming
messages.
You can find the SDS.ini file in the following location:
<DSS-install>/SignatureDeliveryService<version>/webapps/tomcat/sig
naturedeliveryservice/WEB-INF/conf
The following table describes each of the SDS.ini file settings and provides the
default where appropriate.
If you make any changes to the file, you must restart the Document Signer Service
for the changes to take effect. See “Restarting the Document Signer Service” on
page 206 for instructions about restarting the Document Signer Service.
Note:
The Signature Delivery Service uses Apache Log4j 2 as its logging mechanism.
The following procedure provides some guidance about configuring the default
logging settings for the Signature Delivery Service. For more complete
information about configuring Log4j 2, see the Apache Log4j 2 documentation.
Request format
Signature Delivery Service is a Web application that receives requests as XML
documents. The content-type of the data should be set to text/xml.
As illustrated in Figure 9 on page 219, the printing and personalization (or other
external) system makes an HTTP (or HTTPS) POST request to Signature Delivery
Service with the XML request as the contents of the request. Signature Delivery
Service handles the request and passes it along to Verification Server for signing. The
signed Logical Data Structure Security Object (SOLDS) is referred to as the Document
Security Object (SOD). After Verification Server signs the SOLDS, it returns the SOD
to Signature Delivery Service. Signature Delivery Service packages the SOD into an
XML document and returns it to the caller.
The Signature Delivery Service message consists of the SOD data encapsulated in an
XML document.
Note:
A sample XML document is available in the /sampleclient folder for the
Signature Delivery Service and is named SDSv3Req.xml. The /sampleclient
folder also contains an XML schema file named SDSv3.xsd that you can use to
generate client code.
The following illustrates a sample request. In this sample, the sample request sends
the Logical Data Structure Security Object (SOLDS) as separate data groups. Requests
to the Signature Delivery Service can also send the SOLDS as a single Base64-encoded
string.
<SDSMSG TYP="REQ" ID="9EAFF983A3FC3B211AE3">
<PERSIST>
<ANYTHING>
<REQSRC LOC="ONTARIO" OFFICE="5A"/>
DG1-DG16 Lists each data group from 1-16. The content of each element is the
Base64-encoded representation of the actual data group data.
Each data group element can include a hashed attribute. This
attribute indicates whether the provided value is already hashed. For
example:
<DG1 hashed="true">
Permitted values:
• true to indicate that the data group value provided is already
hashed.
• false to indicate that the data group value is not hashed. The
Signature Delivery Service will hash the value.
If the hashed attribute is not included, it defaults to false (the
Signature Delivery Service will hash the value).
Note: If you send the entire unsigned Logical Data Structure Security
Object (SOLDS) in the request, do not include data groups.
Response format
The Signature Delivery Service response consists of the signed data groups
encapsulated in an XML document.
Note:
A sample XML document is available in the /sampleclient folder for the
Signature Delivery Service and is named SDSv3Req.xml. The /sampleclient
folder also contains an XML schema file named SDSv3.xsd that you can use to
generate client code.
Error format
The Signature Delivery Service error response consists of an XML document.
Note:
A sample XML document is available in the /sampleclient folder for the
Signature Delivery Service and is named SDSv3Req.xml. The /sampleclient
folder also contains an XML schema file named SDSv3.xsd that you can use to
generate client code.
SDSMSG Represents the top level element in the document. It contains the LD
child element and, optionally, a PERSIST child element. It also
contains the following two attributes:
• TYP - always RESP
• ID - the request ID copied from the request
-- Constants
ub-DataGroups INTEGER ::= 16
-- Object Identifiers
id-icao OBJECT IDENTIFIER ::= {2.23.136}
id-icao-mrtd OBJECT IDENTIFIER ::= {id-icao 1}
id-icao-mrtd-security OBJECT IDENTIFIER ::= {id-icao-mrtd 1}
id-icao-ldsSecurityObject OBJECT IDENTIFIER ::=
{id-icao-mrtd-security
Note:
You must initialize the HSM before creating an Entrust profile on it. You may also
want to test the HSM installation to ensure the hardware is operational. HSM
vendors typically provide a utility you can use to test the HSM. See your token
vendor’s documentation for more information.
235
Overview of using the Offline Token Creation
Utility
Use the Offline Token Creation Utility to create or recover Entrust profiles for
Verification Server when Verification Server does not have network access to Security
Manager.
Note:
Settings in the hsmops.config file preceded by a number sign (#) are considered
comments and are ignored by the Offline Token Creation Utility. You can include
as many comments as you want in the hsmops.config file. For example, you can
add a comment for each setting to describe why you set a particular value.
Setting Description
smartcard.p11Library.default This setting specifies the full path and file name of the
default PKCS #11 v2.01 token interface library.
Note: On Windows computers, use a forward slashes
(/) or double backslashes (\\) in file paths.
For example:
smartcard.p11Library.default = C:/Program
Files/Token/pkcs11.dll
or
smartcard.p11Library.default = C:\\Program
Files\\Token\\pkcs11.dll
smartcard.p11Library.slot.<num> You can repeat this setting for as many slot numbers as
where <num> is a token slot number necessary.
This setting specifies the full path and file name of a
PKCS #11 v2.01 token interface library to use with a
specific slot number.
This setting overrides the global default for the slot
indicated. Slot numbers are typically assigned by the
hardware token software and are generally consistent,
using a specified range for their tokens.
Note: On Windows computers, use a forward slashes
(/) or double backslashes (\\) in file paths.
For example:
smartcard.p11Library.slot.10 = C:/Program
Files/Token/pkcs11.dll
or
smartcard.p11Library.slot.10 = C:\\Program
Files\\Token\\pkcs11.dll
Setting Description
hashalgorithm This setting specifies the hash algorithm used by the
protocol encryption certificate.
The Offline Token Creation Utility Client uses this hash
algorithm when displaying the hash value for a
certificate request file or Entrust profile.
Note: The value of this setting must be the same value
that is set in the Offline Token Creation Utility Server
easmmops.config file. The values must match so the
Offline Token Creation Utility Client and Offline Token
Creation Server can display the same hash values of
the certificate request file and Entrust profile.
For example:
hashalgorithm = SHA-384
By default this setting is commented out (defaults to
SHA-256).
default.selection.mainMenuChoic This setting specifies the menu option that is selected
e by default in the main menu.
For example:
default.selection.mainMenuChoice = 1
By default this setting is commented out (defaults to
option 1).
default.selection.slotSelect This setting specifies the token slot that is selected by
default in a list of token slots.
For example:
default.selection.slotSelect = 0
By default this setting is commented out (no token slot
is selected by default).
default.selection.signingKeyAlg This setting specifies the menu option that is selected
orithmChoice by default in a list of signature algorithms.
For example:
default.selection.signingKeyAlgorithmChoice =
2
By default this setting is commented out (defaults to
option 2).
Setting Description
default.selection.pecValidDays This setting specifies the default lifetime, in days, for
the self-signed protocol encryption certificate.
For example:
default.selection.pecValidDays = 365
By default this setting is commented out (defaults to
365 days).
default.selection.outputDir This setting specifies the default output directory when
prompting a user to enter an output directory.
Note: On Windows computers, use a forward slashes
(/) or double backslashes (\\) in file paths.
For example:
default.selection.outputDir =
C:\\temp\\OTCU\\certs
or
default.selection.outputDir =
C:/temp/OTCU/certs
By default this setting is commented out (no default
output directory is provided).
default.selection.doYouWantToCo This setting specifies the default value when asking
ntinue users if they want to continue.
Permitted values:
• y for yes.
• n for no.
For example:
default.selection.doYouWantToContinue = n
By default this setting is commented out (defaults to
n).
Setting Description
default.selection.useSpecifiedE This setting specifies the default value when asking
CParams users if they want to use specified elliptic curve domain
parameters in the public key.
Permitted values:
• y for yes.
• n for no.
For example:
default.selection.useSpecifiedECParams = n
By default this setting is commented out (defaults to
n).
Setting Description
securitymanager.ip This setting specifies the DNS name, host name, or
IPv4 address of the server hosting Entrust
Authority Security Manager.
For example:
securitymanager.ip = domain.example.com
or
securitymanager.ip = 192.0.2.0
This setting was configured during installation.
securitymanager.port This setting specifies the CMP port used by
Security Manager. The default CMP port is 829.
For example:
securitymanager.port = 829
This setting was configured during installation.
Setting Description
hashalgorithm This setting specifies the hash algorithm used by
the protocol encryption certificate.
The Offline Token Creation Utility Server uses this
hash algorithm when displaying the hash value for
a certificate request file or Entrust profile.
Note: The value of this setting must be the same
value that is set in the Offline Token Creation
Utility Client hsmops.config file. The values must
match so the Offline Token Creation Utility Client
and Offline Token Creation Server can display the
same hash values of the certificate request file and
Entrust profile.
For example:
hashalgorithm = SHA-384
By default this setting is commented out (defaults
to SHA-256).
default.selection.doYouWantToConti This setting specifies the default value when asking
nue users if they want to continue.
Permitted values:
• y for yes.
• n for no.
For example:
default.selection.doYouWantToContinue = n
By default this setting is commented out (defaults
to n).
Note:
The Offline Token Creation Utility uses Apache Log4j 2 as its logging mechanism.
The following procedures provide some guidance about configuring the default
logging settings for the Offline Token Creation Utility. For more complete
information about configuring Log4j 2, see the Apache Log4j 2 documentation.
Note:
To return to the main menu at any time, enter a period (.).
From the list of detected tokens, enter the slot number of the hardware token
where you want to generate signature key pairs.
7 You are prompted for the token password or PIN:
Enter the User password/PIN for this token:
Attention:
Some tokens have a built-in security mechanism that locks or zeroes the
hardware token after a certain number of consecutive failed login attempts.
Check with your token vendor for more information about your hardware token.
You may cancel this operation if you do not want to continue the user login
attempt.
Enter the password or PIN for the hardware token user to log in to the token.
8 You are prompted to select a signature algorithm and key length:
Choose a digital signature algorithm and key length:
1. RSA-1024
2. RSA-2048
3. RSA-3072
4. RSA-4096
5. RSA-6144
6. DSA-1024
7. ECDSA
Note:
The lifetime of the certificate must be long enough to allow the entire offline
token creation process to complete. The certificate lifetime minimum should be
as long as it takes to complete user enrollment.
Enter the lifetime of the self-signed protocol encryption certificate (in days), from
1 to 365.
12 If the selected hardware token already contains data, you are prompted to
confirm deletion of this data:
**** WARNING ****
This token appears to have existing data on it. If you choose to
continue, any existing keys, certificates, or other data objects
will be deleted from the token.
Do you want to continue [n]:
If the hardware token does not contain any data, the warning prompt does not
appear.
If you continue, all existing data on the token is deleted. Canceling the operation
preserves existing data.
• To cancel the operation, enter n.
• To delete all existing data and start generating key pairs, enter y.
13 The Offline Token Creation Utility Client begins to generate a key pair.
Depending on the capabilities of the hardware token, key generation may take a
few moments.
Once completed, Offline Token Creation Utility Client creates a certificate
request file containing the information needed by Security Manager to issue an
Entrust profile. The file name is a number assigned by the hardware token
followed by a .req file extension. The certificate request file is placed in the
output location you specified earlier.
To recover a profile
1 Set the user account for key recovery:
a Log in to a Security Manager Administration.
b Find the user account for the profile that you want to recover.
c Select the user, then select Users > Selected User > Begin Key Recovery.
d If prompted, authorize the operation.
e Record the new reference number and authorization code.
2 Log in to the server hosting the Document Signer Service with the Offline Token
Creation Utility Client component.
3 Navigate to the following location:
<DSS-install>/OfflineTokenCreationService<version>/bin
4 Run the Offline Token Creation Utility Client:
• On Windows, run runHsmClient.bat.
• On Linux, run runHsmClient.sh (enter ./runHsmClient.sh).
5 The main menu appears:
Main Menu
1. Generate signature key pair on token
2. Recover profile from Security Manager
3. Write Entrust Profile to token
4. Exit
Select an operation [1]:
Note:
If your hardware token does not appear in the list, check the hsmops.config file
to ensure that you specified the correct PKCS #11 v2.01 interface library for your
token. For more information on the configuration file and property value that
contains this setting, see “Preparing to use the Offline Token Creation Utility” on
page 237.
From the list of detected tokens, enter the slot number of the hardware token
where you want to generate signature key pairs.
7 You are prompted for the token password or PIN:
Enter the User password/PIN for this token:
Attention:
Some tokens have a built-in security mechanism that locks or zeroes the
hardware token after a certain number of consecutive failed login attempts.
Check with your token vendor for more information about your hardware token.
You may cancel this operation if you do not want to continue the user login
attempt.
Enter the password or PIN for the hardware token user to log in to the token.
8 You are prompted to select a signature algorithm and key length:
Choose a digital signature algorithm and key length:
1. RSA-1024
2. RSA-2048
3. RSA-3072
4. RSA-4096
5. RSA-6144
6. DSA-1024
7. ECDSA
Note:
The lifetime of the certificate must be long enough to allow the entire offline
token creation process to complete. The certificate lifetime minimum should be
as long as it takes to complete user enrollment.
Enter the lifetime of the self-signed protocol encryption certificate (in days), from
1 to 365.
12 If the selected hardware token already contains data, you are prompted to
confirm deletion of this data:
**** WARNING ****
This token appears to have existing data on it. If you choose to
continue, any existing keys, certificates, or other data objects
will be deleted from the token.
Do you want to continue [n]:
If the hardware token does not contain any data, the warning prompt does not
appear.
If you continue, all existing data on the token is deleted. Cancelling the operation
preserves existing data.
To cancel the operation, enter n. To delete all existing data and start generating
key pairs, enter y.
13 The Offline Token Creation Utility begins to generate a key pair. Depending on
the capabilities of the hardware token, key generation may take a few moments.
Once completed, Offline Token Creation Utility creates a certificate request file
containing the information needed by Security Manager to issue an Entrust
profile. The file name is a number assigned by the hardware token followed by a
.req file extension. The certificate request file is placed in the output location you
specified earlier.
Note:
To complete this process, you must use the reference number and authorization
code you obtained by Security Manager when you added the user entry to
Security Manager.
Note:
To return to the main menu at any time, enter a period (.).
263
Using secure logging
You can configure Verification Server to securely log requests for digital signatures so
that you can detect any tampering of the data.
This section contains the following topics:
• “Creating a user entry in Security Manager for secure logging” on page 264
• “Creating an Entrust profile and Server Login credentials for secure logging”
on page 265
• “Configuring Verification Server for secure logging” on page 266
• “Viewing and verifying the secure audit log files” on page 269
Note:
If you are storing the Entrust profile on a hardware security module (HSM),
ensure you have installed and configured your HSM according to the instructions
provided by your HSM vendor. You must initialize the HSM before creating an
Entrust profile on it. You may also want to test the HSM installation to ensure the
hardware is operational. HSM vendors typically provide a utility you can use to
test the HSM. See your token vendor’s documentation for more information.
To view and verify the integrity of the secure audit log file
1 Open a command prompt.
2 Navigate to the following location:
<DSS-install>/VerificationServer<version>/bin
3 Run checkaudit.bat (Windows) or checkaudit.sh (Linux) as follows:
checkaudit.bat [-noevents] audit-file entrust-ini profile-name [slot-number]
[ual-file]
./checkaudit.sh [-noevents] audit-file entrust-ini profile-name [slot-number]
[ual-file]
Parameters in square brackets are optional parameters. Where:
• -noevents instructs the utility to check only the integrity of the file and not
print out the log data.
• audit-file provides the file path and name of the audit file to be checked,
without the audit file sequence number appended to it.
For example, enter the file name to secure.log to check the secure audit
logs secure.log, secure.log.0001, secure.log.0002, and so on.
The default path and file name of the secure audit log:
<DSS-install>/VerificationServer<version>/logs/webservices.secu
re.log
You can enter the full file path or a file path relative to the current working
directory.
• entrust-ini provides the file path and name of the entrust.ini file
associated with the digital ID used for secure logging.
The Verification Server entrust.ini file location:
<DSS-install>/VerificationServer<version>/conf/security/entrust
.ini
You can enter the full file path or a file path relative to the current working
directory.
For information about recovering Entrust profiles using the Profile Creation Utility, see
the Document Signer Service Verification Server Guide.
For information about recovering Entrust profiles using the Offline Token Creation
Utility, see “Recovering an offline Entrust profile on a hardware token” on page 253.
Note:
If you enable multiple instances of Verification Server in a load-balancing
environment, you must restart the other Verification Server instances when one
Verification Server updates the keys. Key update notifications are written to the
Verification Server log files.
Note:
You can change the password of an Entrust profile with the Profile Creation
Utility if Verification Server has direct access to Security Manager. If the Entrust
Profile is stored on hardware and Verification does not have direct access to
Security Manager, you must recover the profile using the Offline Token Creation
Utility. For instructions about using the Offline Token Creation Utility to recover
an Entrust profile, see “Recovering an offline Entrust profile on a hardware
token” on page 253.
For information about changing the password of an Entrust profile using the Profile
Creation Utility, see the Document Signer Service Verification Server Guide.
Error logging
All services provided by Verification Server write to a single log file. Each entry has an
identifier that indicates its source. If you encounter problems with Verification Server,
check the Verification Server log file. You can view the log file with any text editor.
By default, the Verification Server log file is:
<DSS-install>/VerificationServer<version>/logs/webservices.log
You can also configure Verification Server to write sensitive log file entries to a secure
log file. For details, see “Using secure logging” on page 264.
Note:
If you suspect a problem with Verification Server but do not see errors in the
Verification Server log file, check the system log file for Apache Tomcat.
For information about errors generated by the Profile Creation Utility, see the Profile
Creation Utility Error Messages in the Verification Server documentation ZIP bundle.
For information on errors generated by the check audit utility, see Secure Logger
Check Audit Utility Error Messages in the Verification Server documentation ZIP
bundle.
For more information about error logging, see:
• “Customizing the log files” on page 278
• “Logging levels” on page 279
• “Logging Digital Signature requests” on page 281
Logging levels
The following shows the available logging levels you can set listed from most urgent
to least urgent:
• fatal indicates a fatal error from which Verification Server cannot recover.
• alert indicates an error occurred for which immediate action may be
required.
• error indicates a recoverable error occurred. Verification Server continues to
operate.
• warn provides a warning message about a particular event. Verification
Server continues to operate.
• info (default) logs information about events such as:
– notification of startup
– incoming Verification Server requests
– success or failure of Verification Server operations
• debug provides detailed information about Verification Server events. It is
typically used when requested by Entrust Customer Support for debugging
purposes.
Note:
Setting the logging level value to debug has an impact on performance. It is
recommended that you use this value only when you require troubleshooting
information, and that you reset the logging level value afterwards.
Troubleshooting tips
This topic offers tips for solving some common Verification Server problems:
• “Digital ID login problems” on page 281
• “Hardware security module (HSM) problems” on page 282
• “Digital Signature Service problems” on page 283
Problem Solution
The following error appears in the log file, even If password aging is enabled in the user policy
though you entered the correct password: associated with a Verification Server profile,
failure during WebServiceCore.login():
your password may have expired. You must
The password is not valid according to
change the profile password, and recreate the
the password rule, change the password
corresponding Server Login file (UAL file). For
first with the method changePassword()
more information, see “Changing the
before calling this function
password of an Entrust profile” on page 274.
The following error appears in the log file: This error can be caused by an expired CRL.
Could not initialize secure logger:
Re-issue the CRLs at the Certification Authority
Error initializing audit file
(CA) and restart Verification Server.
Problem Solution
The following error appears in the log file: If you are using the Luna SA device, this may
CKR_DEVICE_ERROR
mean that the PIN you entered on the LunaPED
was incorrect. This error can occur while
creating or recovering a profile using the Profile
Creation Utility or while starting up Verification
Server.
This error can also be caused by a timeout
(approximately one minute) when the
LunaPED is waiting for the user to enter a PIN.
This can occur with the Profile Creation Utility
at profile creation or with Verification Server at
server startup time.
The following error appears in the log file: Verify the settings in the Verification Server
entrust-configuration.xml file and the
no credentials configured (profile or
entrust.ini file related to profiles and HSMs.
HSM)
For information about the Verification Server
entrust-configuration.xml file, see
“Verification Server entrust-configuration.xml
file” on page 287.
For information about the Verification Server
entrust.ini file, see “Configuring the
Verification Server entrust.ini file” on
page 186.
Problem Solution
You see one of the following error messages at The namespace URI for the
the client: SecurityTokenReference element in
keyManager.properties does not match the
iaik.ixsil.exceptions.SignatureExceptio
n: Failure while verifying a signature.
SOAP message being verified. Add these two
lines to keyManager.properties:
iaik.ixsil.exceptions.KeyManagerExcepti
on: No key provider has been registered http://schemas.xmlsoap.org/ws/2002/xx/s
to get the verification key from. ecext:SecurityTokenReference =
com.entrust.webservices.dsig.
or wssecurity.keyinfo.
iaik.ixsil.exceptions.SignatureExceptio KeyProviderImplSecurityTokenRef
n: Instantiating the verification key Subelement.04 =
manager failed. http://schemas.xmlsoap.org/ws/2002/xx/s
iaik.ixsil.exceptions.KeyManagerExcepti ecext:SecurityTokenReference
on: No KeyProviderInterface
implementation class name found for
preferred subelement
http://schemas.xmlsoap.org/ws/2002/xx/s
ecext:SecurityTokenReference.
Problem Solution
You see the following error messages at the This problem can be caused for any of the
client: following reasons:
iaik.ixsil.exceptions.SignatureExceptio • Client.properties is not set to use
n: Instantiating the verification key validating parse.
manager failed.
• The WS-Security utility schema location is
iaik.ixsil.exceptions.KeyManagerExcepti not provided in the document or
on: Initialization with specified Client.properties. To fix this problem,
KeyInfo element failed. open the Client.properties file and add
iaik.ixsil.exceptions.KeyProviderExcept the following schema and location pair to
ion: No exception message specified. the schemaLocations setting:
java.lang.Exception: Could not find http://schemas.xmlsoap.org/ws/2002/07/u
element with ID "X509Token" in DOM tility
Document containing signature. http://schemas.xmlsoap.org/ws/2002/07/u
tility/
• The BinarySecurityToken element uses a
wsu namespace URI that does not point to a
valid schema location. To fix this problem,
change the namespace URI in the SOAP
message being verified:
OLD: wsu:Id="X509Token"
xmlns:wsu="http://schemas.xmlsoap.org/w
s/2002/xx/utility"
NEW: wsu:Id="X509Token"
xmlns:wsu="http://schemas.xmlsoap.org/w
s/2002/07/utility"
You see the following error messages at the
The SOAP envelope schema location is not
client: provided in the document or
Client.properties. To fix this problem, open
iaik.ixsil.exceptions.DOMUtilsException
: Creating a DOM Document from given
the Client.properties file and add the
InputStream failed.
following schema and location pair to the
schemaLocations setting:
org.xml.sax.SAXParseException:
cvc-elt.1: Cannot find the declaration http://schemas.xmlsoap.org/soap/envelop
of element 'env:Envelope'. e/
http://schemas.xmlsoap.org/soap/envelop
e/
Problem Solution
You see the following error messages at the
The exclusive C14N algorithm URI is not listed
client: as a transform algorithm URI in
algorithms.properties. Add the following
iaik.ixsil.exceptions.VerifierException
: Could not create Verifier object from
line to algorithms.properties:
specified XML document. Transform.http\://www.w3.org/2001/10/xm
iaik.ixsil.exceptions.SignatureExceptio l-exc-c14n\# =
n: Could not create Signature object iaik.ixsil.algorithms.TransformImplCano
for verification purpose. nicalXML
iaik.ixsil.exceptions.SignedInfoExcepti
on: Could not create SignedInfo object
for verification purpose.
iaik.ixsil.exceptions.ReferenceExceptio
n: Could not create reference object
for verification purpose.
iaik.ixsil.exceptions.AlgorithmFactoryE
xception: Could not create an Algorithm
for the specified URI
("http://www.w3.org/2001/10/xml-exc-c14
n#").
java.lang.NullPointerException
You see the following error message at the This error can occur when you attempt to run
client: the sample client against signed versions of the
Exception in thread "main"
Entrust Authority Security Toolkit for Java .jar
java.lang.SecurityException: Cannot
files. The scripts to run the sample clients were
verify JCE extension:
written to use the unsigned .jar files.
java.lang.ClassNotFoundException: To fix this problem, make sure the unsigned
javax.crypto.Cipher .jar files are in the classpath, or remove
entjavaxcrypto.jar from the classpath if
using the signed .jar files.
Verification Server
entrust-configuration.xml file
Use the entrust-configuration.xml file to configure specific Verification Server
options. The entrust-configuration.xml file contains separate sections for global
settings and the Digital Signature service. The file also contains sections for the
Timestamp service and XKMS Certificate Validation service, which are not applicable
to ePassport.
If you make changes to entrust-configuration.xml, you must restart both the
application server and the Verification Server Web application.
Attention:
Do not leave any of the entries in entrust-configuration.xml blank. Either
specify a value for the entry or comment it out by inserting <!-- at the beginning
of the line and --> at the end of the line.
287
Changing global settings
The settings in the <entrust-configuration><global> section allow you to change
options that affect the general operation of Verification Server. The following table
contains details about the settings.
If you change any settings, you must save the file and restart Verification Server.
Setting Description
<entrust-credential> Sets the parent element that defines the digital ID
used by the service.
<profile> Sets the path to either an Entrust profile (.epf) used
by the Digital Signature service. A default value was
set during installation.
If you are using a hardware security module (HSM)
with the Digital Signature service, comment out this
entry.
Default:
file:///<DSS-install>/VerificationService<v
ersion>/conf/security/digsig.epf
<ual> Sets the path to the Server Login file (.ual) used by
the Digital Signature service. A default value was set
during installation.
If you are using a Luna SA hardware token, the
<ual> setting is not required.
Default:
file:///<DSS-install>/VerificationService<v
ersion>/conf/security/digsig.ual
<profile-password> Sets the password used if the .ual file is not present.
For security reasons, this setting is not
recommended for production environments unless
you protect the entrust-configuration.xml file;
otherwise, the password may be read by
unauthorized individuals.
By default, this setting is commented out. If you
want to use this setting, remove <!-- from the
beginning of the line and --> from the end of the
line.
Default: changeme
Setting Description
<hsm-slot> Sets the slot number of the hardware security
module (HSM) used to store the profile used by the
Digital Signature service.
This setting is required only if you are using an HSM.
If you use this entry, you must comment out the
<profile> entry.
By default, this setting is commented out. If you
want to use this setting, remove <!-- from the
beginning of the line and --> from the end of the
line.
Default: 1
<cms><digest-method> Sets the hashing algorithm for server-calculated
hashes (method rfc2630Sign).
This hashing algorithm is used if you use
rfc2630Sign, where your client sends the entire
data to the server for hashing (using the algorithm
specified in this setting) and signing using the
server’s private signing key.
An alternative to using rfc2630Sign, is to use
rfc2630SignProvideDigest(), where the client
hashes the data, and only sends the hash to the
server for signing. If you use
rfc2630SignProvideDigest(), the hash algorithm
specified in the digest-method setting is ignored.
Possible values are: sha1, sha224, sha256, sha385,
or sha512.
If Verification Server uses DSA as its signing
algorithm, you must use sha1 as your digest
method. The DSA signing algorithm is specified in
the user policy that you set up at the CA that signed
the Verification Server’s digital ID.
Attention: For an e-passport system, change the
digest method to match the key pair algorithm
configured in the Document Signer Policy (see
“Customizing Document Signer certificates” on
page 138). For example, sha1 for RSA-1024 or
sha256 for RSA-2048.
If this setting is absent, it defaults to sha256.
Default: sha256
Setting Description
<cms><include-ca-cert> By default, the digital signatures produced by
rfc2630Sign and rfc2630SignProvideDigest
include both the signer's public verification
certificate and the signer’s issuing Certification
Authority (CA) certificate in the CMS SignedData
certificates field. This setting controls whether the
CA certificate is included in the field or not.
Note: With XML signing, no CA certificate is
included, regardless of how you set the
include-ca-cert setting.
Possible values are: true (include CA certificate),
false (exclude CA certificate).
Attention: For an e-passport system, you must set
this option to false.
Default: true
<cms><include-piv-signer-dn> Determines if Verification Server generates CMS
SignedData that contains the FIPS 201
pivSigner-DN attribute with its value equal to the
DN of the Digital Signature service.
Note: FIPS 201 refers to Personal Identity
Verification of Federal Employees and Contractors.
Possible values are: true (includes the attribute),
false (does not include the attribute).
Default: false
<cms><include-signing-time> Determines if Verification Server generates CMS
SignedData that contains the signing-time attribute.
Leaving this attribute out reduces the size of the
signature.
Possible values are: true (includes the attribute),
false (does not include the attribute).
Default: true
Setting Description
<cms><econtent-type> Determines the embedded content type OID
(applies to all CMS signatures). The default is
id-data.
Note: When the Digital Signature service client
application is Signature Delivery Service, Signature
Delivery Service overrides this setting. By default,
the eContentTypeOID value in the SDS.ini file is
used. If eContentTypeOID is not specified, Signature
Delivery Service uses 2.23.136.1.1.1.
Possible values: any content type OID.
Default: 1.2.840.113549.1.7.1
<cms><timestamp><url> Sets the URL of the Timestamp service RFC 3161
ASN.1 interface used to timestamp a CMS digital
signature.
Default:
http://localhost:8080/verificationserver/rf
c3161timestamp
<cms><timestamp><digest-method> Sets the algorithm for calculating the signature
digest used when timestamping a CMS digital
signature.
Possible values are: sha1, sha224, sha256, sha385,
or sha512.
Default: sha256
<cms><rsassa-pss-enabled> Automatically configures RSASSA_PSS parameters
based on the digest algorithm.
Possible values: true (turns the feature on), false
(turns the feature off).
Default: false
Attention: For an e-passport system, change this
option to true. Your RSA key must be long enough
to support the larger data sizes (for example, an RSA
key size of 1024 will not support SHA512). This
value must be true if you are using RSA-PSS keys.
Setting Description
<xml><digest-method> Sets the hashing algorithm for XML signatures.
Possible values are: sha1, sha224, sha256, sha385,
or sha512.
If Verification Server uses DSA as its signing
algorithm, you must use sha1 as your digest
method. The DSA signing algorithm is specified in
the user policy that you set up at the CA that signed
the Verification Server’s digital ID.
If this setting is absent, it defaults to sha256.
Default: sha256
This section provides instructions for installing a PKD Writer Services CA, installing and
configuring Administration Services, and administering the PKD Writer services.
This section contains the following chapters:
• “Installing a PKD Writer Services CA” on page 301
• “Deploying the PKD Writer Web Service” on page 305
• “Configuring the PKD Writer Web Service” on page 347
• “Administering the PKD Writer services” on page 373
299
300 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0
Report any errors or omissions
12
301
Installing and configuring Security Manager
Before installing Security Manager, ensure that you read all preinstallation
information described in the Security Manager 8.3 Installation Guide. Ensure that
you install and configure a supported LDAP directory and database as described in
the Security Manager 8.3 Installation Guide.
When using the countryName (c=) directory attribute to specify a two-letter country
code, the two-letter country code must be in uppercase characters to meet the ISO
3166 standard.
Install and configure, and initialize Security Manager according to the instructions in
the Security Manager 8.3 Installation Guide. After installing and configuring Security
Manager, proceed to “Post-configuration steps” on page 303.
305
Deployment overview
Deploying the PKD Writer Web Service includes the following steps. Each step is
described in further detail in this chapter.
1 Review list of supported operating systems, Web servers, and Web browsers.
The Entrust Authority Administration Services Release Notes. The most recent
Release Notes are posted on Entrust Datacard TrustedCare.
2 Synchronize the application server and Security Manager Certification Authority
time setting (see “Synchronizing Administration Services and Security Manager
time settings” on page 307).
3 Create Entrust profiles for the PKD Writer Web Service:
• “Creating PKD Writer Server credentials” on page 308
• “Creating a PKD Writer Client certificate type” on page 311
• “Creating PKD Writer Client credentials” on page 312
4 Obtain a PKD Access credential for the ICAO PKD (see “Obtaining a PKD Access
credential for the ICAO PKD” on page 315).
5 Check the settings in the entrust.ini file (see “Checking the entrust.ini file” on
page 317).
6 Collect the information required to install the PKD Writer services (see
“Collecting installation information for the PKD Writer” on page 319).
7 Install the PKD Writer Web Service (see “Installing the PKD Writer Web Service”
on page 324).
8 If the Security Manager directory does not allow anonymous authentication, you
must configure authentication to the directory (see “Configuring PKD Writer
Server authentication to a directory without anonymous access” on page 344).
To create a user entry for the PKD Writer Server profile using Security
Manager Administration
1 Log in to Security Manager Administration for the PKD Writer Services CA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.
c In the Add to drop-down list, select the searchbase where you want to add
the user entry (for example, select CA Domain Searchbase to add the user
entry to the default searchbase).
4 Click the General tab.
5 From the Role drop-down list, select Server Login.
6 Select the Certificate Info tab, and then complete the following:
To create a user entry for the PKD Writer Client profile using Security Manager
Administration
1 Log in to Security Manager Administration for the PKD Writer Services CA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
To create and obtain a PKD Access credential for the ICAO PKD
1 Install Administration Services 9.3. See the Administration Services 9.3
Installation Guide for instructions.
When installing Administration Services:
a Select the Distributed installation type to install the application server
components and Web server components on separate servers.
b Select Application Server to install the application server components.
2 On a command line, navigate to the following directory:
<AS-install>/tools/pkdw-create12
3 Enter the following command:
createp12 -gen -alg RSA -keylen 2048 -signalg <algorithm> -cn "PKD
Upload" -csr <csr_file> -p12 <p12_file> -email <email_address>
Note:
The algorithm (RSA) and key length (2048) are set by ICAO, and are not related
to the algorithm and key length of your PKD Writer services CA.
Where:
• <algorithm> is the signing algorithm required by ICAO. ICAO requires
SHA256 as the signing algorithm.
• <csr_file> is the file name for a Certificate Signing Request (CSR) file.
• <p12_file> is the file name for a P12 file.
• <email_address> is the email address required by ICAO. ICAO requires the
email address reference@pkd.icao.int.
For example:
createp12 -gen -alg RSA -keylen 2048 -signalg SHA256 -cn "PKD
Upload" -csr pkd-access.csr -p12 pkd-access.p12 -email
reference@pkd.icao.int
Note:
ICAO delivers certificates as Base64-encoded in a Microsoft Word document.
Copy the Base64-encoded text into a separate text file for the Administration
Services installer. The Administration Services installer will not recognize the
Microsoft Word document as a valid certificate file.
PKD entrust.ini The file path and name of the entrust.ini file from your
PKD Writer Services CA. You should have already obtained
the file and configured the required settings in “Checking
the entrust.ini file” on page 317.
File path and name of the PKD Writer Services CA
entrust.ini file:
PKD Writer Profile The PKD Writer Web Service requires a profile. You should
have already created this profile in “Creating PKD Writer
Server credentials” on page 308.
Profile on Token: Yes or No
Profile on hardware:
• Hardware slot:
• Profile Password:
Profile on software:
• Profile path and file name:
• Profile Password:
PKD Writer command line The PKD Writer service includes a command line application
application credentials that you can use to upload CSCA materials (master lists,
CRLs, and Document Signer certificates) to the ICAO PKD.
The application requires a password each time you use it to
upload CSCA materials.
A strong password contains at least eight characters, and
includes at least one uppercase character, one lowercase
character, one number, and one non-alphanumeric
character.
Password for PKD Writer command line application:
Domestic Country Code The ISO 3166-1 ALPHA-2 country code of your country. For
example, the country code of the United States is US.
Domestic Country Code:
Fully qualified host name of the The fully qualified host name of the ICAO PKD Download
PKD Download Directory Directory server. For example:
PKDDownloadSG.icao.int
Fully qualified host name of the ICAO PKD Download
Directory:
TCP LDAPS port number of the The secure LDAP (LDAPS) port number of the ICAO PKD
PKD Download Directory Download Directory.
ICAO PKD Download Directory LDAPS Port:
PKD Download LDAP ID The password for the ICAO PKD Download LDAP ID.
Password
ICAO PKD Download LDAP ID Password:
PKD Download LDAP Server The file path and name of the ICAO PKD Download
Certificate Directory’s LDAP server certificate (not the CA certificate).
File path and name of the ICAO PKD Download LDAP
server certificate:
Fully qualified host name of the The fully qualified host name of the ICAO PKD Upload
PKD Upload Directory Directory server. For example:
PKDUploadSG.icao.int
Fully qualified host name of the ICAO PKD Upload
Directory:
PKD Upload Directory LDAPS The secure LDAP (LDAPS) port number of the ICAO PKD
Port Upload Directory.
ICAO PKD Upload Directory LDAPS Port:
PKD Access P12 Credential The file path and name of the ICAO PKD Access P12
credential. You should have already obtained this P12 file in
“Obtaining a PKD Access credential for the ICAO PKD” on
page 315.
File path and name of the ICAO PKD Access credential:
PKD Access P12 Password The password for the ICAO PKD Access P12 credential.
ICAO PKD Access P12 Password:
PKD Upload LDAP ID Password The password for the ICAO PKD Upload LDAP ID.
ICAO PKD Upload LDAP ID Password:
PKD Upload LDAP Server The file path and name of the ICAO PKD Upload Directory’s
Certificate LDAP server certificate (not the CA certificate).
File path and name of the ICAO PKD Upload LDAP server
certificate:
Automatic CRL Uploads PKD Writer can automatically upload the CSCA CRL to the
ICAO PKD Upload Directory.
Enable Automatic CRL Uploads: Yes or No
URL of the CRL Source for PKD Writer can automatically upload the CSCA CRL to the
Uploads ICAO PKD Upload Directory from a URL. Supported formats
of the URL are http, https, and ldap.
URL of the CRL Source for Uploads:
Email Notification PKD Writer can send email notification messages for specific
events.
Enable Email Notification for PKD Writer: Yes or No
This page lists all configured services (if any). Click Next to add a new service.
a In the SSL/TLS Port Number for PKD Writer Web Service field, enter the port
number for the PKD Writer Web Service (by default 443 or 13443).
b Click Next.
a In the text field, enter the full path and file name of the entrust.ini file
from the Entrust CA that issued the PKD Writer Server profile, or click
Choose to locate the file.
b Click Next.
a In the Enter the location of the PKD Writer Profile field, click Choose to
locate and select the PKD Writer Server profile (EPF file).
b In the Enter the Password to login to your PKD Writer Profile field, enter the
password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the PKD Writer Server profile.
b In the Enter the Password to login to your PKD Writer Profile field, enter the
password for the profile.
c Click Next.
Note:
PKD Writer tracks the status of the CSCA materials that have been uploaded to
the ICAO PKD Upload Directory. The status includes when the materials became
available in the ICAO PKD Download Directory. To determine when the materials
became available in the ICAO Download Directory, the PKD Writer Web Service
requires access to the ICAO PKD Download Directory.
a In the Fully Qualified Host Name of the PKD Download Directory field,
enter the fully qualified host name of the ICAO PKD Download Directory
server.
b In the TCP LDAPS Port Number of the PKD Download Directory field, enter
the secure LDAP port of the ICAO PKD Download Directory.
c In the Enter Download LDAP ID field, enter your Download LDAP ID.
d In the Enter the Password for Download LDAP field, enter the password for
your Download LDAP ID.
a In the Fully Qualified Host Name of the PKD Upload Directory field, enter
the fully qualified host name of the ICAO PKD Upload Directory server.
b In the TCP LDAPS Port Number of the PKD Upload Directory field, enter the
secure LDAP port of the ICAO PKD Upload Directory.
c In the Enter the Location of the PKD P12 credential field, enter the full path
and file name of the P12 file you generated earlier, or click Choose to locate
the file.
a To enable email notification for PKD Writer, select Enable Email Notification
for PKD Writer.
If you select this option, the email notification settings are enabled.
b If you chose to enable email notification for PKD Writer:
– In the Enter the SMTP Server Fully Qualified Domain Name field, enter the
fully qualified domain name of the SMTP server.
– In the SMTP Server Port field, enter the port number used by the SMTP
server (by default 25).
– In the Enter the PKD Writer Administrator Email Address field, enter the
email address where administrators will receive email notification
messages.
The PKD Writer Web Service sends messages to this address only if the
event is not meant for a particular object. For example, if an administrator
performs an action that requires another administrator’s approval, PKD
Writer sends the message to this email address.
– In the Enter the PKD Writer Appears From Email Address field, enter the
email address that will appear in the From field of the email message.
c Click Next.
a To use the service you just installed, you must restart the Administration
Services application server.
– To start the service automatically after exiting the installer, select Start the
service automatically. By default, this option is already selected.
– To not start the service after exiting the installer, deselect Start the service
automatically. You must manually restart Administration Services to use the
new service.
b Click Next.
The URL for the PKD Writer Web Service is
https://<server>:<port>/pkdwriter/services/PkdwwsService, where:
• <server> is the host name or IPv4 address of the server hosting the PKD
Writer Web Service.
• <port> is the SSL port for the PKD Writer Web Service (by default 443 or
13443). You specified this port when you installed the PKD Writer Web
Service.
PKD Writer clients need this URL to connect to the PKD Writer Web Service.
You can find the URLs to all installed services in the <AS-install>/services.txt
file.
347
Configuring email notification for PKD Writer
When you installed PKD Writer, you had the option to enable email notification for
PKD Writer. If you did not enable email notification during the installation, or you
want to configure how email notification works, complete the steps in this section.
For more information about email notification, see the Administration Services
Installation Guide.
• “Configuring SMTP server settings for the PKD Writer” on page 348
• “Email notification files for the PKD Writer” on page 349
• “Enabling and disabling email notification for PKD Writer” on page 350
• “Modifying email notification subject and message text for PKD Writer” on
page 353
• “Modifying PKD Writer email notification to use HTML content templates”
on page 355
Table 17: PKD Writer account tasks, event IDs, and email message files
To enable or disable email notification for specific events for PKD Writer
1 Log in to the Administration Services server hosting the application server
components.
2 Open the configuration.global.xml file for PKD Writer. You can find the file
in the following folder:
<AS-install>\services\pkdwriter\pkdwriter\webapp\WEB-INF\config
3 Locate the <Notification> element.
4 In the <Notification> element, each <Event> child element refers to a specific
event. See “Email notification files for the PKD Writer” on page 349 for a list of
event IDs.
For each event, you can configure email notification as follows:
• To enable email notification for the event, set <Enabled> to true.
<Enabled>true</Enabled>
• To disable email notification for the event, set <Enabled> to false.
<Enabled>false</Enabled>
Setting Description
<ContentTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the message. See
“Modifying email notification subject and message text for PKD
Writer” on page 353 for details about editing this file.
Note: This is a system setting and should not be modified.
<FromTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses for
the RFC 822 From: and Reply-To: headers.
Note: This is a system setting and should not be modified.
<Id> Used to declare a unique identifier. This value must match an
identifier of a notification event that is sent by the
XAPNotificationHandler. It is the identifier that is used to
determine which email notification event should handle the
notification event.
Note: This is a system setting and should not be modified.
<RecipientTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses of
the recipients. The results of the transformation are a
<Recipients> element.
Setting Description
<SubjectTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the RFC 822 Subject:
header. The result of the transformation is a <Subject> element.
See “Modifying email notification subject and message text for
PKD Writer” on page 353 for details about editing this file.
Attention:
Only personnel with knowledge of XSLT should attempt to modify email
notification text. To compare your changes with the default versions of the XSL
files, see the <AS-install>\templates folder for the default files. Do not modify
any of the files in the templates folder.
Begin using your digital ID again at any time. If have lost your
digital ID or forgotten your password, please contact your LRA.
<xsl:call-template name="signature"/>
Setting Description
<CRL> This setting controls the minimum assurance level for CRLs that can be
uploaded to the ICAO PKD. CRLs that do not match or exceed the minimum
assurance level will not be uploaded.
Permitted values (in increasing levels of assurance):
• LOW
• MEDIUM
• HIGH
Default: HIGH
Setting Description
<DSC> This setting controls the minimum assurance level for Document Signer
certificates that can be uploaded to the ICAO PKD. Document Signer
certificates that do not match or exceed the minimum assurance level will not
be uploaded.
Permitted values (in increasing levels of assurance):
• LOW
• MEDIUM
• HIGH
Default: HIGH
<ML> This setting controls the minimum assurance level for master lists that can be
uploaded to the ICAO PKD. Master lists that do not match or exceed the
minimum assurance level will not be uploaded.
Permitted values (in increasing levels of assurance):
• LOW
• MEDIUM
• HIGH
Default: HIGH
Note:
You should change the PKD Download connection settings only if you entered
incorrect information when you installed the PKD Writer services.
Setting Description
<LDAPAuthType> Specifies the LDAP authentication type to the ICAO PKD Download
Directory.
Permitted values:
• Anonymous for anonymous access
• Simple for simple authentication
• SSLServerAuth for SSL server authentication
• SASLClientAuth for SASL client authentication
By default, SSL server authentication (SSLServerAuth) is required to
connect to the ICAO PKD Download Directory.
<Host> The fully qualified host name of the ICAO PKD Download Directory
server.
For example:
<Host>PKDDownloadSG.icao.int</Host>
<Port> The secure LDAP (LDAPS) port number of the ICAO PKD Download
Directory.
For example:
<Port>636</Port>
<ServerCertificate> The file path and name of the ICAO PKD Download Directory’s LDAP
server certificate (not the CA certificate).
For example:
<ServerCertificate>C:\ldap_server.cer</ServerCertificate>
Setting Description
<UAL> The Unattended Login (UAL) file for the P12 credential. This file
contains the encrypted password for the P12 credential. By default,
this setting contains no value because no P12 is used.
You can create UAL files with the Profile Creation Utility. See the
Administration Services Installation Guide for details.
Note:
You should change the PKD Upload connection settings only if you entered
incorrect information when you installed the PKD Writer services.
Setting Description
<LDAPAuthType> Specifies the LDAP authentication type to the ICAO PKD Upload
Directory.
Permitted values:
• Anonymous for anonymous access
• Simple for simple authentication
• SSLServerAuth for SSL server authentication
• SASLClientAuth for SASL client authentication
By default, SASL client authentication (SASLClientAuth) is required
to connect to the ICAO PKD Upload Directory.
Setting Description
<Host> The fully qualified host name of the ICAO PKD Upload Directory
server.
For example:
<Host>PKDUploadSG.icao.int</Host>
<Port> The secure LDAP (LDAPS) port number of the ICAO PKD Upload
Directory.
For example:
<Port>636</Port>
<ServerCertificate> The file path and name of the ICAO PKD Upload Directory’s LDAP
server certificate (not the CA certificate).
For example:
<ServerCertificate>C:\ldap_server.cer</ServerCertificate>
Setting Description
<UAL> The Unattended Login (UAL) file for the P12 credential. This file
contains the encrypted password for the P12 credential. By default,
the Administration Services installer created this file when you
installed the PKD Writer services.
For example:
<UAL>C:\pkd-access.ual</UAL>
You can create UAL files with the Profile Creation Utility. See the
Administration Services Installation Guide for details.
Setting Description
<Level> Sets the level of detail for the logs.
The logging level can be one of (in increasing severity) TRACE, DEBUG, INFO,
WARNING, ERROR, ALERT, or FATAL. This sets the lowest level of message to show.
For example, ERROR provides messages of ERROR, ALERT and FATAL status.
Default: INFO
<FileName> Sets the name (including path) of the log file.
Default:
<AS-install>\services\pkdwriter\pkdwriter\logs\pkdwriter_pkdwriter.
log
<FileSize> Sets the maximum size of a log file, in bytes.
Default: 1000000
Do not set the value to 0, or Apache Tomcat will fail to start.
<Backups> Sets the maximum number of log files to keep. After the last log file reaches the
maximum size, the first log file is overwritten.
Default: 10
Setting Description
<Filename> The full path and file name of the PKD Writer secure audit log.
Default:
C:\Program Files\Entrust\AdminServices/services/pkdwrite
r/pkdwriter/logs/pkdwriter_audit.log
Note:
Currently, PKD Writer can automatically upload only the current CSCA CRL to
the ICAO PKD from a URL.
Setting Description
Setting Description
<UploadPeriod> This setting controls how often, in hours, that PKD Writer
automatically uploads CSCA materials to the ICAO PKD. The
value must be greater than 0 or an error will occur.
Default: 24
<CRL> This setting specifies the full URL of the CSCA CRL. Supported
formats of the URL are http, https, and ldap.
For example:
http://webserver.example.com/CRL/crl_file.crl
373
Uploading Document Signer certificates to the
ICAO PKD
The PKD Writer command line utility allows you to upload Document Signer
certificates to the ICAO PKD.
To display the status of domestic CSCA materials uploaded to the ICAO PKD
1 Log in to the server hosting the PKD Writer services.
The PKD Writer services are installed on a server hosting the Administration
Services application server components.
2 On a command line, navigate to the following directory:
<AS-install>/tools/pkdw-cmd
3 Enter the following command:
pkdupload -status
The PKD Writer command line utility displays information about each material
uploaded to the ICAO PKD.
This section provides instructions for installing a PKD Administration CA, installing and
configuring Administration Services, and administering the PKD Reader services.
This section contains the following chapters:
• “Installing a PKD Reader Services CA” on page 381
• “Deploying the PKD Reader Web Service” on page 385
• “Configuring the PKD Reader Web Service” on page 425
379
380 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0
Report any errors or omissions
16
381
Installing and configuring Security Manager
Before installing Security Manager, ensure that you read all preinstallation
information described in the Security Manager 8.3 Installation Guide. Ensure that
you install and configure a supported LDAP directory and database as described in
the Security Manager 8.3 Installation Guide.
When using the countryName (c=) directory attribute to specify a two-letter country
code, the two-letter country code must be in uppercase characters to meet the ISO
3166 standard.
Install and configure, and initialize Security Manager according to the instructions in
the Security Manager 8.3 Installation Guide. After installing and configuring Security
Manager, proceed to “Post-configuration steps” on page 383.
385
Deployment overview
Deploying the PKD Reader Web Service includes the following steps. Each step is
described in further detail in this chapter.
1 Review list of supported operating systems, Web servers, and Web browsers.
The Entrust Authority Administration Services Release Notes. The most recent
Release Notes are posted on Entrust Datacard TrustedCare.
2 Synchronize the application server and Security Manager Certification Authority
time setting (see “Synchronizing Administration Services and Security Manager
time settings” on page 387).
3 Create Entrust profiles for the PKD Reader Web Service:
• “Creating PKD Reader Server credentials” on page 388
• “Creating PKD Reader Client credentials” on page 391
4 Check the settings in the entrust.ini file (see “Checking the entrust.ini file” on
page 394).
5 PKD Reader can retrieve CSCA Registry information from the ICAO PKD Upload
Directory. Enabling the CSCA Registry Download feature requires a PKD Access
P12 credential. See “Obtaining a PKD Access P12 credential for retrieving CSCA
Registry information from the ICAO PKD” on page 398.
6 Collect the information required to install the PKD Reader services (see
“Collecting installation information for the PKD Reader” on page 399).
7 Install the PKD Reader Web Service (see “Installing the PKD Reader Web
Service” on page 404).
8 If the Security Manager directory does not allow anonymous authentication, you
must configure authentication to the directory (see “Configuring PKD Reader
Server authentication to a directory without anonymous access” on page 422).
To create a user entry for the PKD Reader Server profile using Security
Manager Administration
1 Log in to Security Manager Administration for the PKD Reader Services CA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.
c In the Add to drop-down list, select the searchbase where you want to add
the user entry (for example, select CA Domain Searchbase to add the user
entry to the default searchbase).
4 Click the General tab.
5 From the Role drop-down list, select Server Login.
6 Select the Certificate Info tab, and then complete the following:
To create a user entry for the PKD Reader Client profile using Security
Manager Administration
1 Log in to Security Manager Administration for the PKD Reader Services CA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
• RoamSearchBase<n>=<Searchbase_DN>
Where <n> is an integer and <Searchbase_DN> is the DN of an additional
searchbase where searches for roaming users are performed.
You can define up to 20 different RoamSearchBase<n> settings. For example,
RoamSearchBase1, RoamSearchBase2, RoamSearchBase3, and so on. <n>
must start at 1, and you must increment <n> by 1 for each additional
RoamSearchBase<n> setting.
For example:
RoamSearchBase1=cn=RoamingServer1,dc=example,dc=com
RoamSearchBase2=cn=RoamingServer2,dc=example,dc=com
RoamSearchBase3=cn=RoamingServer3,dc=example,dc=com
• (Optional.) RoamSSLPort=<port>
Where <port> is the SSL port number that Roaming Server uses for SSL
communications. Administration Services communicates with Roaming
Server on this port. For example:
RoamSSLPort=443
• (Optional.) ProfileServerKeyType=<key_type>
Where <key_type> is the default symmetric key for all communications with
Roaming Server. The key type must be one of CAST-128, Triple DES, or
IDEA. Roaming Server must be configured to allow communication with this
symmetric key type or Roaming Server will reject all communication
attempts.
For example:
ProfileServerKeyType=Triple DES
Remove any leading or trailing white space from this setting. Roaming login
will fail if this setting contains any leading or trailing white space. Comments
at the end of a setting are considered whitespace.
• (Optional) RoamGetFilesFromServer=<value>
Where <value> is one of:
– 0 (Proxy mode is off)
– 1 (Proxy mode is on)
PKD entust.ini The file path and name of the entrust.ini file from your
PKD Reader Services CA. You should have already
obtained the file and configured the required settings in
“Checking the entrust.ini file” on page 394.
File path and name of the PKD Reader Services CA
entrust.ini file:
CSCA Registry Download Specifies whether the PKD Reader can retrieve CSCA
Registry information from the ICAO PKD.
Enabling the PKD Reader to retrieve CSCA Registry
information requires a PKD Access P12 credential. You
should have already obtained the PKD Access P12
credential from ICAO when you deployed Administration
Services for a PKD Writer (see “Obtaining a PKD Access
credential for the ICAO PKD” on page 315). You can use
the same PKD Access P12 credential for both the PKD
Writer services and PKD Reader services.
Enable PKD Reader to retrieve CSCA Registry information:
Yes or No
PKD Reader Profile The PKD Reader Web Service requires a profile. You should
have already created this profile in “Creating PKD Reader
Server credentials” on page 388.
Profile on Token: Yes or No
Profile on hardware:
• Hardware slot:
Profile on software:
• Profile path and file name:
• Profile Password:
Domestic Country Code The ISO 3166-1 ALPHA-2 country code of your country.
For example, the country code of the United States is US.
Domestic Country Code:
Fully qualified host name of the The fully qualified host name of the ICAO PKD Download
PKD Download Directory Directory server. For example:
PKDDownloadSG.icao.int
ICAO will provide this information after you register with
ICAO.
Fully qualified host name of the PKD Download Directory:
PKD Download Directory LDAPS The secure LDAP (LDAPS) port number of the PKD
Port Download Directory.
ICAO will provide this information after you register with
ICAO.
PKD Download Directory LDAPS Port:
PKD Download LDAP ID The password for the PKD Download LDAP ID.
Password
ICAO will provide this information after you register with
ICAO.
PKD Download LDAP ID Password:
PKD Download LDAP Server The file path and name of the PKD Download Directory’s
Certificate LDAP server certificate (not the CA certificate).
ICAO will provide this information after you register with
ICAO.
File path and name of the PKD Download LDAP server
certificate:
Fully qualified host name of the The fully qualified host name of the ICAO PKD Upload
PKD Upload Directory Directory server. For example:
(CSCA Registry Download PKDUploadSG.icao.int
enabled only) Fully qualified host name of the ICAO PKD Upload
Directory:
PKD Upload Directory LDAPS The secure LDAP port number of the ICAO PKD Upload
Port Directory.
(CSCA Registry Download ICAO PKD Upload Directory LDAPS Port:
enabled only)
PKD Access P12 Credential The file path and name of the ICAO PKD Access P12
credential.
(CSCA Registry Download
enabled only) You should have already obtained the PKD Access P12
credential from ICAO when you deployed Administration
Services for a PKD Writer (see “Obtaining a PKD Access
credential for the ICAO PKD” on page 315). You can use
the same PKD Access P12 credential for both the PKD
Writer services and PKD Reader services.
File path and name of the ICAO PKD Access credential:
PKD Access P12 Password The password for the ICAO PKD Access P12 credential.
(CSCA Registry Download ICAO PKD Access P12 Password:
enabled only)
PKD Upload LDAP ID Password The password for the ICAO PKD Upload LDAP ID.
(CSCA Registry Download ICAO PKD Upload LDAP ID Password:
enabled only)
PKD Upload LDAP Server The file path and name of the ICAO PKD Upload
Certificate Directory’s LDAP server certificate (not the CA certificate).
(CSCA Registry Download File path and name of the ICAO PKD Upload LDAP server
enabled only) certificate:
Email Notification PKD Reader can send email notification messages for
specific events.
Enable Email Notification for PKD Reader: Yes or No
This page lists all configured services (if any). Click Next to add a new service.
a In the SSL/TLS Port Number for PKD Reader Web Service field, enter the port
number for the PKD Writer Web Service (by default 443 or 12443).
b Click Next.
a In the text field, enter the full path and file name of the entrust.ini file
from the Entrust CA that issued the PKD Reader Server profile, or click
Choose to locate the file.
b Click Next.
a In the Enter the location of the PKD Reader Profile field, click Choose to
locate and select the PKD Reader Server profile (EPF file).
b In the Enter the Password to login to your PKD Writer Profile field, enter the
password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the PKD Reader Server profile.
b In the Enter the Password to login to your PKD Reader Profile field, enter
the password for the profile.
c Click Next.
a In the Fully Qualified Host Name of the PKD Download Directory field,
enter the fully qualified host name of the ICAO PKD Download Directory
server.
b In the TCP LDAPS Port Number of the PKD Download Directory field, enter
the secure LDAP port of the ICAO PKD Download Directory.
c In the Enter Download LDAP ID field, enter your Download LDAP ID.
d In the Enter the Password for Download LDAP field, enter the password for
your Download LDAP ID.
e In the Enter the Location of the PKD Download LDAP Server Certificate
field, enter the full path and file name of the ICAO PKD Download
Directory’s server certificate, or click Choose to locate the file.
f Click Next to continue.
The installer will attempt to connect to the ICAO PKD Download Directory server
with the information you provided. If an error occurs, a warning will appear. If
you encounter an error, open the
<AS-install>\logs\adminservices_configuration.log for more
information. You can continue installing the PKD Reader services even if an error
occurs.
a To enable PKD Reader to retrieve CSCA Registry information from the ICAO
PKD, select Enable CSCA registry download.
b If you enabled PKD Reader to retrieve CSCA Registry information:
– In the Fully Qualified Host Name of the PKD Upload Directory field, enter
the fully qualified host name of the ICAO PKD Upload Directory server.
– In the TCP LDAPS Port Number of the PKD Upload Directory field, enter
the secure LDAP port of the ICAO PKD Upload Directory.
– In the Enter the Location of the PKD P12 Credentials Profile field, enter
the full path and file name of the P12 file you generated earlier, or click
Choose to locate the file.
– In the Enter the Password to login to your PKD P12 Credentials Profile
field, enter the password for the P12 file you generated earlier.
– In the Enter Upload LDAP ID field, enter your Upload LDAP ID.
– In the Enter the Location of the PKD Upload LDAP Server Certificate field,
enter the full path and file name of the ICAO PKD Upload Directory’s server
certificate, click Choose to locate the certificate file.
c Click Next to continue.
a To enable email notification for PKD Reader, select Enable email Notification
for PKD Reader.
If you select this option, the email notification settings are enabled.
b If you chose to enable email notification for PKD Reader:
– In the Enter the SMTP Server Fully Qualified Domain Name field, enter the
fully qualified domain name of the SMTP server.
– In the SMTP Server Port field, enter the port number used by the SMTP
server (by default 25).
a To use the service you just installed, you must restart the Administration
Services application server.
– To start the service automatically after exiting the installer, select Start the
service automatically. By default, this option is already selected.
– To not start the service after exiting the installer, deselect Start the service
automatically. You must manually restart Administration Services to use the
new service.
b Click Next.
The URL for the PKD Reader Web Service is
https://<server>:<port>/pkdreader/services/PkdrwsService, where:
• <server> is the host name or IPv4 address of the server hosting the PKD
Reader Web Service.
• <port> is the SSL port for the PKD Reader Web Service (by default 443 or
12443). You specified this port when you installed the PKD Reader Web
Service.
PKD Reader clients need this URL to connect to the PKD Reader Web Service.
You can find the URLs to all installed services in the <AS-install>/services.txt
file.
425
Configuring email notification for PKD Reader
When you installed PKD Reader, you had the option to enable email notification for
PKD Reader. If you did not enable email notification during the installation, or you
want to configure how email notification works, complete the steps in this section.
For more information about email notification, see the Administration Services
Installation Guide.
• “Configuring SMTP server settings for the PKD Reader” on page 426
• “Email notification files for the PKD Reader” on page 427
• “Enabling and disabling email notification for PKD Reader” on page 428
• “Modifying email notification subject and message text for PKD Reader” on
page 431
• “Modifying PKD Reader email notification to use HTML content templates”
on page 433
Table 26: PKD Reader account tasks, event IDs, and email message files
To enable or disable email notification for specific events for PKD Reader
1 Log in to the Administration Services server hosting the application server
components.
2 Open the configuration.global.xml file for PKD Reader. You can find the file
in the following folder:
<AS-install>\services\pkdreader\pkdreader\webapp\WEB-INF\config
3 Locate the <Notification> element.
4 In the <Notification> element, each <Event> child element refers to a specific
event. See “Email notification files for the PKD Reader” on page 427 for a list of
event IDs.
For each event, you can configure email notification as follows:
Setting Description
<ContentTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the message. See
“Modifying email notification subject and message text for PKD
Reader” on page 431 for details about editing this file.
Note: This is a system setting and should not be modified.
<FromTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses for
the RFC 822 From: and Reply-To: headers.
Note: This is a system setting and should not be modified.
Setting Description
<Id> Used to declare a unique identifier. This value must match an
identifier of a notification event that is sent by the
XAPNotificationHandler. It is the identifier that is used to
determine which email notification event should handle the
notification event.
Note: This is a system setting and should not be modified.
<RecipientTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses of
the recipients. The results of the transformation are a
<Recipients> element.
<SubjectTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the RFC 822 Subject:
header. The result of the transformation is a <Subject> element.
See “Modifying email notification subject and message text for
PKD Reader” on page 431 for details about editing this file.
Attention:
Only personnel with knowledge of XSLT should attempt to modify email
notification text. To compare your changes with the default versions of the XSL
files, see the <AS-install>\templates folder for the default files. Do not modify
any of the files in the templates folder.
Begin using your digital ID again at any time. If have lost your
digital ID or forgotten your password, please contact your LRA.
<xsl:call-template name="signature"/>
</xsl:template>
5 Save and close the file.
If the file contains Unicode characters beyond 7-bit ASCII (Basic Latin) for
languages such as French or Japanese, save the file with UTF-8 encoding.
6 Repeat this procedure for each event you want to modify.
Setting Description
<Level> Sets the level of detail for the logs.
The logging level can be one of (in increasing severity) TRACE, DEBUG, INFO,
WARNING, ERROR, ALERT, or FATAL. This sets the lowest level of message to show.
For example, ERROR provides messages of ERROR, ALERT and FATAL status.
Default: INFO
<FileName> Sets the name (including path) of the log file.
Default:
<AS-install>\services\pkdreader\pkdreader\logs\pkdreader_pkdreader.
log
<FileSize> Sets the maximum size of a log file, in bytes.
Default: 1000000
Do not set the value to 0, or Apache Tomcat will fail to start.
<Backups> Sets the maximum number of log files to keep. After the last log file reaches the
maximum size, the first log file is overwritten.
Default: 10
Note:
You should change the PKD Download connection settings only if you entered
incorrect information when you installed the PKD Reader services.
Setting Description
<LDAPAuthType> Specifies the LDAP authentication type to the ICAO PKD Download
Directory.
Permitted values:
• Anonymous for anonymous access
• Simple for simple authentication
• SSLServerAuth for SSL server authentication
• SASLClientAuth for SASL client authentication
By default, SSL server authentication (SSLServerAuth) is required to
connect to the ICAO PKD Download Directory.
Setting Description
<Host> The fully qualified host name of the PKD Download Directory server.
For example:
<Host>PKDDownloadSG.icao.int</Host>
<Port> The secure LDAP (LDAPS) port number of the PKD Download
Directory.
For example:
<Port>636</Port>
<ServerCertificate> The file path and name of the PKD Download Directory’s LDAP
server certificate (not the CA certificate).
For example:
<ServerCertificate>C:\ldap_server.cer</ServerCertificate>
<UAL> The Unattended Login (UAL) file for the P12 credential. This file
contains the encrypted password for the P12 credential. By default,
this setting contains no value because no P12 is used.
You can create UAL files with the Profile Creation Utility. See the
Administration Services Installation Guide for details.
Setting Description
<LDAPAuthType> Specifies the LDAP authentication type to the ICAO PKD Upload
Directory.
Permitted values:
• Anonymous for anonymous access
• Simple for simple authentication
• SSLServerAuth for SSL server authentication
• SASLClientAuth for SASL client authentication
By default, SASL client authentication (SASLClientAuth) is required to
connect to the ICAO PKD Upload Directory.
<Host> The fully qualified host name of the ICAO PKD Upload Directory server.
For example:
<Host>PKDUploadSG.icao.int</Host>
Setting Description
<Port> The secure LDAP (LDAPS) port number of the ICAO PKD Upload
Directory.
For example:
<Port>636</Port>
<ServerCertificate> The file path and name of the ICAO PKD Upload Directory’s LDAP server
certificate (not the CA certificate).
For example:
<ServerCertificate>C:\ldap_server.cer</ServerCertificate>
<UAL> The Unattended Login (UAL) file for the P12 credential. This file contains
the encrypted password for the P12 credential. By default, the
Administration Services installer created this file when you installed the
PKD Reader services.
For example:
<UAL>C:\pkd-access.ual</UAL>
You can create UAL files with the Profile Creation Utility. See the
Administration Services Installation Guide for details.
This section provides instructions for installing a NPKD Services CA, installing and
configuring Administration Services, and administering data in the National PKD.
This section contains the following chapters:
• “Manually deploying a National PKD (optional)” on page 449
• “Installing an NPKD Services CA” on page 459
• “Deploying the NPKD services” on page 463
• “Configuring the NPKD services” on page 545
• “Administering data in the National PKD” on page 571
• “Customizing NPKD Administration” on page 715
• “Localizing NPKD Administration” on page 721
447
448 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0
Report any errors or omissions
19
Note:
Use this chapter only if you will deploy your own directory for the National PKD.
This chapter does not apply to the National PKD directory included with
Administration Services.
449
Installing an LDAP directory as the National
PKD
For the National PKD, install an LDAP directory. For installation instructions, follow
the directory documentation provided by the directory vendor.
Attention:
Microsoft Active Directory and Microsoft Active Directory Lightweight Directory
Services (AD LDS) are not supported as the National PKD directory.
Attributes
This section provides information about ICAO and Entrust-defined attributes required
for the National PKD.
pkdMasterListContent attribute
The pkdMasterListContent attribute contains a master list.
NAME pkdMasterListContent
OID 2.23.136.2.1.1
DESCRIPTION Contains a master list in accordance with the ICAO
Technical Report
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE
pkdVersion attribute
The pkdVersion attribute identifies the version of the ICAO PKD to which an object
was added.
NAME pkdVersion
OID 2.23.136.2.1.2
DESCRIPTION Identifies the version of the ICAO PKD an object was
added
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
pkdConformanceText attribute
The pkdConformanceText attribute contains a human-readable ICAO PKD
conformance check result.
NAME pkdConformanceText
OID 2.23.136.2.1.4
DESCRIPTION Contains a human-readable ICAO PKD conformance check
result
EQUALITY caseIgnoreMatch
SUBSTRING caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
pkdPKCS10Content attribute
The pkdPKCS10Content attribute contains a PKCS #10 certificate request.
NAME pkdPKCS10Content
OID 2.23.136.2.1.8
DESCRIPTION Contains a PKCS #10 certification request
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE
pkdDeviationListContent attribute
The pkdDeviationListContent attribute contains a deviation list in accordance with
the ICAO Technical Report.
NAME pkdDeviationListContent
OID 2.23.136.2.1.9
DESCRIPTION Contains a deviation list in accordance with the ICAO
Technical Report
entrustNPKDCSCAMetaData attribute
The entrustNPKDCSCAMetaData attribute is contains additional information about the
CSCA material, such as the source, client DN, hash of the material, and so on.
NAME entrustNPKDCSCAMetaData
OID 1.2.840.113533.7.81.1.0
DESCRIPTION Entrust NPKD CSCA Meta Data
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE
entrustNPKDAssuranceLevelPolicy attribute
The entrustNPKDAssuranceLevelPolicy attribute provides a set of rules that map
validation results onto assurance levels.
NAME entrustNPKDAssuranceLevelPolicy
OID 1.2.840.113533.7.81.1.1
DESCRIPTION Entrust NPKD Assurance Level Policy
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE
entrustNPKDAssuranceLevelExp attribute
The entrustNPKDAssuranceLevelExp attribute contains an assurance level
expiration date. The NPKD Services use this expiration date to quickly discover
expiring assurance levels.
NAME entrustNPKDAssuranceLevelExp
OID 1.2.840.113533.7.81.1.2
DESCRIPTION Entrust NPKD Assurance Level Expiration
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE
entrustNPKDAssuranceLevel attribute
The entrustNPKDAssuranceLevel attribute contains the assurance level of a CSCA
material, along with the test results.
NAME entrustNPKDAssuranceLevel
OID 1.2.840.113533.7.81.1.3
DESCRIPTION Entrust NPKD Assurance Level
entrustNPKDSignature attribute
The entrustNPKDSignature attribute contains a signature covering hashes of all
attributes in the entry.
NAME entrustNPKDSignature
OID 1.2.840.113533.7.81.1.4
DESCRIPTION Entrust NPKD Signature
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE
entrustNPKDPublish attribute
The entrustNPKDPublish attribute contains a Boolean flag indicating whether the
CSCA material is eligible for publishing. CSCA materials eligible for publishing can be
distributed to clients through the NPKD Web Service. The attribute value is calculated
based on the validation tests and the assurance level policy. The attribute value can
also be used in searches for quick distribution to clients.
NAME entrustNPKDPublish
OID 1.2.840.113533.7.81.1.5
DESCRIPTION Entrust NPKD Publish
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE
entrustNPKDCreationDate attribute
The entrustNPKDCreationDate attribute contains the import date of the CSCA
material. The attribute value can be used in searches by the last import date from
clients.
NAME entrustNPKDCreationDate
OID 1.2.840.113533.7.81.1.6
DESCRIPTION Entrust NPKD Creation Date
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE
459
Installing and configuring Security Manager
Before installing Security Manager, ensure that you read all preinstallation
information described in the Security Manager 8.3 Installation Guide. Ensure that
you install and configure a supported LDAP directory and database as described in
the Security Manager 8.3 Installation Guide.
When using the countryName (c=) directory attribute to specify a two-letter country
code, the two-letter country code must be in uppercase characters to meet the ISO
3166 standard.
Install and configure, and initialize Security Manager according to the instructions in
the Security Manager 8.3 Installation Guide. After installing and configuring Security
Manager, proceed to “Post-configuration steps” on page 461.
463
• “Completing the Microsoft IIS front-end configuration for the NPKD
services” on page 519
• “Completing the Apache HTTP Server front-end configuration for the NPKD
services” on page 529
• “Creating or modifying a user policy for NPKD administrators” on page 535
• “Creating a role for NPKD administrators” on page 537
• “Creating NPKD administrators” on page 538
• “Testing NPKD Administration” on page 543
Note:
Web Server SSL certificates must be issued by a Certification Authority.
Self-signed certificates are not supported.
You need a Web server certificate to enable SSL on your Web server. You can use the
following Entrust products to obtain Web server certificates:
• To generate large numbers of licensed Web server certificates, use Entrust
Authority Enrollment Server for Web.
To create a user entry for the NPKD Server profile using Security Manager
Administration
1 Log in to Security Manager Administration for the NPKD Services CA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.
c In the Add to drop-down list, select the searchbase where you want to add
the user entry (for example, select CA Domain Searchbase to add the user
entry to the default searchbase).
4 Click the General tab.
5 From the Role drop-down list, select Server Login.
6 Select the Certificate Info tab, and then complete the following:
To create a user entry for the NPKD Client profile using Security Manager
Administration
1 Log in to Security Manager Administration for the NPKD Services CA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
This page lists all configured services (if any). Click Next to add a new service.
a In the Host Name field, enter the fully qualified host name of your Web site.
For example, webserver.example.com.
b In the Port Number field, enter the SSL port number of your Web site (by
default 443).
c Click Next.
a In the Administration Web Application Port Number field, enter the port
number for the NPKD Administration interface (default 23443).
b In the Web Service Port Number field, enter the port number for the NPKD
Web Service (default 24443).
c Click Next.
a In the text field, enter the full path and file name of the entrust.ini file
from the Entrust CA that issued the NPKD Server profile, or click Choose to
locate the file.
b Click Next.
a In the Enter the location of the NPKD Profile field, click Choose to locate and
select the NPKD Server profile (EPF file).
b In the Enter the Password to login to your NPKD Profile field, enter the
password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the NPKD Server profile.
b In the Enter the Password to login to your NPKD Profile field, enter the
password for the profile.
c Click Next.
a To enable a connection with PKD Reader, select Enable import from PKD
Reader for NPKD Service.
b If you enabled a connection with PKD Reader:
– In the Enter the location of the PKD Reader entrust.ini field, enter the full
path and file name of the entrust.ini file from the Entrust CA that issued
the PKD Reader Client profile, or click Choose to locate the file.
– In the PKD Reader Web Service URL field, enter the URL of the PKD Reader
Web Service URL.
The URL for the PKD Writer Web Service is https://<server>:<port>/
pkdreader/services/PkdrwsService. Where <server> is the host name
or IPv4 address of the server hosting the PKD Reader Web Service, and
<port> is the SSL port for the PKD Reader Web Service (by default 443 or
12443).
c Click Next.
If you did not enable a connection to PKD Reader, proceed to step Step 19 on
page 497.
a In the Enter the location of the PKD Reader Profile field, click Choose to
locate and select the PKD Reader Client profile (EPF file).
b In the Enter the Password to login to your PKD Writer Profile field, enter the
password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the PKD Reader Client profile.
b In the Enter the Password to login to your PKD Reader Profile field, enter
the password for the profile.
c Click Next.
– In the NPKD Directory port number field, enter the LDAP port to use for
the National PKD (default 389).
– In the Enter the NPKD Directory Password field, enter a password for the
directory user.
For the provided directory, the distinguished name (DN) of the directory
user is cn=Directory Manager. You cannot change this DN.
– In the Enter the NPKD Directory Password Confirmation field, enter the
password again to confirm the password.
c If you are using an existing directory:
– In the Fully qualified host name of the NPKD Directory field, enter the fully
qualified host name of the NPKD Directory server.
– In the NPKD Directory port number field, enter the LDAP port of the
directory (default 389).
– In the NPKD Directory user field, enter the distinguished name (DN) of a
directory user that can access and manage the directory.
– In the Enter the NPKD Directory password field, enter the password of the
directory user.
d Click Next to continue.
If you are using an existing directory as the National PKD, the installer will
attempt to connect to the directory with the information you provided. If an error
occurs, a warning will appear. If you encounter an error, open the
<AS-install>\logs\adminservices_configuration.log for more
information. You can continue installing the NPKD services even if an error
occurs.
a To enable email notification for the NPKD services, select Enable Email
Notification for NPKD.
If you select this option, the email notification settings are enabled.
b If you chose to enable email notification for PKD Reader:
– In the Enter the SMTP Server Fully Qualified Domain Name field, enter the
fully qualified domain name of the SMTP server.
– In the SMTP Server Port field, enter the port number used by the SMTP
server (by default 25).
– In the Enter the NPKD Administrator Email Address field, enter the email
address where administrators will receive email notification messages.
The NPKD services send messages to this address only if the event is not
meant for a particular object. For example, if a user performs an action that
requires an administrator’s approval, the NPKD services send the message
to this email address.
– In the Enter the NPKD Appears From Email Address field, enter the email
address that will appear in the email message’s From field of the email
message.
c Click Next.
a To use the service you just installed, you must restart the Administration
Services application server.
– To start the service automatically after exiting the installer, select Start the
service automatically. By default, this option is already selected.
– To not start the service after exiting the installer, deselect Start the service
automatically. You must manually restart Administration Services to use the
new service.
b Click Next.
The URL for the NPKD Web Service is
https://<server>:<port>/npkd/services/NpkdServiceV1, where:
• <server> is the host name or IPv4 address of the server hosting the NPKD
Web Service.
• <port> is the SSL port for the NPKD Web Service (by default 24443). You
specified this port when you installed the NPKD services.
NPKD Web Service clients need this URL to connect to the NPKD Web Service.
You can find the URLs to all installed services in the <AS-install>/services.txt
file.
This page lists all configured services (if any). Click Next to add a new service.
a Select the Web server that you will use for Administration Services.
b Click Next.
a In the Web Server’s Fully Qualified Host Name or IP Address field, enter the
fully qualified host name or IPv4 address of your Web site. For example,
webserver.example.com.
b In the Web Server’s SSL Port field, enter the SSL port number of your Web
site (by default 443).
c Click Next.
a Enter the path to the folder that contains the Web server’s configuration file
(httpd.conf file) or click Choose to select the folder that contains the file.
b Click Next to continue.
a In the text field, enter the fully qualified host name or IPv4 address of the
server hosting the application server components. For example,
appserver.example.com.
b Click Next.
a In the Administration Web Application Port Number field, enter the port
number for the NPKD Administration interface (default 23443).
b In the Web Service Port Number field, enter the port number for the NPKD
Web Service (default 24443).
c Click Next.
6 Select the first binding (for example, 24443), and click Edit.
The Edit Site Binding dialog box appears.
Increasing the upload buffer size for the npkd Web site in
Microsoft IIS
Microsoft IIS includes a server runtime setting named uploadReadAheadSize. This
setting specifies the number of bytes that a Web server will read into a buffer and
pass to an ISAPI extension or module. By default, Microsoft can read 49152 bytes (48
kilobytes) into a buffer.
Using NPKD Administration, you can import CSCA materials from LDIF files. If an
LDIF file size is larger than the uploadReadAheadSize size, an error can occur and the
file contents will not be imported.
When you installed the Web server components of the NPKD services, the installer
created a new npkd Web site in Microsoft Internet Information Services (IIS). The
npkd Web site is for accepting and forwarding connections to NPKD Administration
or the NPKD Web Service.
Increase the value of the server runtime setting uploadReadAheadSize for the npkd
Web site.
11 Click Finish.
Listen 24443
<VirtualHost webserver.example.com:24443>
...
</VirtualHost>
# Entrust AdminServices NPKD end
3 Each <VirtualHost> directive added by the installer for the NPKD services
includes the following settings:
SSLCertificateFile conf/ssl/TAG_SERVER_CERT
SSLCertificateKeyFile conf/ssl/TAG_SERVER_KEY
SSLCertificateChainFile conf/ssl/TAG_CA_CERT
SSLCACertificateFile conf/ssl/TAG_CA_CERT
Update all instances of these settings as follows. For more information about any
of these settings, see the Apache HTTP Server documentation.
Note:
If the file referenced by SSLCertificateChainFile or SSLCACertificateFile
contains too many certificates, Apache HTTP Server may fail to load all the
certificates. If the Web server fails to load all the certificates, it may be unable to
successfully maintain a session with the Web browser. To work around this issue,
you can use the SSLCACertificatePath setting instead of the
SSLCertificateChainFile or SSLCACertificateFile settings. For information
about using the SSLCACertificatePath setting, see the Apache HTTP Server
documentation.
Listen 24443
<VirtualHost webserver.example.com:24443>
...
</VirtualHost>
# Entrust AdminServices NPKD end
c Each <VirtualHost> directive added by the installer for the NPKD services
includes the following setting:
SSLCACertificateFile conf/ssl/ca-certs.crt
You may have already configured this setting in “Assigning SSL certificates
to the NPKD services VirtualHosts in Apache HTTP Server” on page 529.
The SSLCACertificateFile setting must specify the path and file name of
a PEM-encoded CA certificates file. The path can be a path relative to the
Apache HTTP Server installation directory. For example:
SSLCACertificateFile conf/ssl/ca-certs.crt
The NPKD services will use this setting for verifying client certificates.
a Save and close the file.
7 Restart the Web server.
To create a user entry for a NPKD administrator using the User Management
Service
1 Log in to the User Management Service for the NPKD Services CA.
2 Click the Accounts tab.
3 Click the Create Account tab.
4 In the User Type drop-down list, select a user type.
User types determine which attributes and object classes are included in the user’s
distinguished name.
5 In the Certificate Type drop-down list, select one of the following.
• To grant the NPKD administrator read-only access to information, select
Enterprise - ePassport Auditor.
• To grant the NPKD administrator access to all functionality, select Enterprise
- National NPKD Service Administrator.
You created these certificate types in “Creating certificate types for NPKD
services” on page 471.
6 In the available text fields, enter the name that will become the common name
of the user entry. An asterisk (*) appears beside required fields. You must enter
information into all fields marked with asterisks.
Note:
The security dialog box may appear behind the browser window. Click the dialog
box’s window icon in the taskbar to bring the dialog box to the front.
545
Configuring the NPKD services logs
The NPKD services—NPKD Web Service and NPKD Administration—share a log file.
This log file contains messages related to the operation of the NPKD services.
Administration Services allows you to customize the NPKD services log file settings.
You can configure the following log settings:
• the log file name and location
• the level of messages recorded in the file
• the maximum size the log file can reach before a new log file is created
• the number of old log files to retain
Setting Description
<Level> Sets the level of detail for the logs.
The logging level can be one of (in increasing severity) TRACE, DEBUG,
INFO, WARNING, ERROR, ALERT, or FATAL. This sets the lowest level of
message to show. For example, ERROR provides messages of ERROR,
ALERT and FATAL status.
Default: INFO
<FileName> Sets the name (including path) of the log file.
Default: <AS-install>\services\npkd\npkd\logs\npkd_npkd.log
<FileSize> Sets the maximum size of a log file, in bytes.
Default: 1000000
Do not set the value to 0, or Apache Tomcat will fail to start.
<Backups> Sets the maximum number of log files to keep. After the last log file
reaches the maximum size, the first log file is overwritten.
Default: 10
Setting Description
<Level> Sets the level of detail for the logs.
The logging level can be one of (in increasing severity) TRACE, DEBUG,
INFO, WARNING, ERROR, ALERT, or FATAL. This sets the lowest level of
message to show. For example, ERROR provides messages of ERROR,
ALERT and FAIL status.
Default: INFO
<FileName> Sets the name (including path) of the log file.
Default:
<AS-install>\services\npkd\npkd\logs\npkd_validation_engi
ne.log
<FileSize> Sets the maximum size of a log file, in bytes.
Default: 1000000
Do not set the value to 0, or Apache Tomcat will fail to start.
Setting Description
<Backups> Sets the maximum number of log files to keep. After the last log file
reaches the maximum size, the first log file is overwritten.
Default: 10
Table 33: NPKD account tasks, event IDs, and email message files
To enable or disable email notification for specific events for the NPKD
services
1 Log in to the Administration Services server hosting the application server
components.
2 Open the configuration.global.xml file for the NPKD services. You can find
the file in the following folder:
<AS-install>\services\npkd\npkd\webapp\WEB-INF\config
3 Locate the <Notification> element.
4 In the <Notification> element, each <Event> child element refers to a specific
event. See “Email notification files for the NPKD services” on page 551 for a list
of event IDs.
For each event, you can configure email notification as follows:
• To enable email notification for the event, set <Enabled> to true.
<Enabled>true</Enabled>
• To disable email notification for the event, set <Enabled> to false.
Setting Description
<ContentTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the message. See
“Modifying email notification subject and message text for the
NPKD services” on page 555 for details about editing this file.
Note: This is a system setting and should not be modified.
<FromTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses for
the RFC 822 From: and Reply-To: headers.
Note: This is a system setting and should not be modified.
<Id> Used to declare a unique identifier. This value must match an
identifier of a notification event that is sent by the
XAPNotificationHandler. It is the identifier that is used to
determine which email notification event should handle the
notification event.
Note: This is a system setting and should not be modified.
Setting Description
<RecipientTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses of
the recipients. The results of the transformation are a
<Recipients> element.
<SubjectTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the RFC 822 Subject:
header. The result of the transformation is a <Subject> element.
See “Modifying email notification subject and message text for
the NPKD services” on page 555 for details about editing this file.
<AttachmentsTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the files sent in the email messages
as attachments. The results of the transformation are an
<Attachments> element.
Attention:
Only personnel with knowledge of XSLT should attempt to modify email
notification text. To compare your changes with the default versions of the XSL
files, see the <AS-install>\templates folder for the default files. Do not modify
any of the files in the templates folder.
Begin using your digital ID again at any time. If have lost your
digital ID or forgotten your password, please contact your LRA.
<xsl:call-template name="signature"/>
</xsl:template>
5 Save and close the file.
If the file contains Unicode characters beyond 7-bit ASCII (Basic Latin) for
languages such as French or Japanese, save the file with UTF-8 encoding.
6 Repeat this procedure for each event you want to modify.
To configure the LDAP page size for Document Signer certificate list
operations
1 Log in to the Administration Services server hosting the application server
components.
2 Open the npkd-config.xml file in a text editor. You can find the file in the
following folder:
<AS-install>\services\npkd\npkd\webapp\WEB-INF\config
3 Locate the <DSC> setting. By default:
<DSC>
<!-- LDAP Page size for DS Certificate list operations,
100 by default. Use 0 to turn off LDAP paging. -->
<PageSize>50</PageSize>
</DSC>
4 For <PageSize>, enter the number of Document certificates per page to return
from an LDAP query. If 0, NPKD services will not use LDAP paging.
5 Save and close the file.
You do not need to restart Administration Services. The changes are applied
immediately.
Setting Description
Note:
It is recommended that you enable automatic signature updates only when the
NPKD Server profile has been updated. You should disable the automatic
signature updates after the signature has been updated on all CSCA materials in
the National PKD.
Setting Description
Setting Description
<Enabled> Controls whether the NPKD services can automatically import CSCA
materials from PKD Reader.
Permitted values:
• true to enable automatic imports from PKD Reader.
• false to disable automatic imports from PKD Reader.
Default: true
Setting Description
<Filename> The full path and file name of the PKD Writer secure audit log.
Default:
C:\Program Files\Entrust\AdminServices/services/npkd/npk
d/logs/npkd_audit.log
571
Logging in to NPKD Administration
NPKD Administration is a Web-based interface for administering the NPKD services.
NPKD administrators use NPKD Administration to import and manage CSCA
certificates, master lists, Document Signer certificates, and CRLs stored in the NPKD
Directory.
You are required to log in to the NPKD Administration interface with a certificate
stored in your Web browser (see “Creating NPKD administrators” on page 538).
Note:
The security dialog box may appear behind the browser window. Click the dialog
box’s window icon in the taskbar to bring the dialog box to the front.
This section describes how to use the various grid features in NPKD Administration
for displaying and managing items in the grid.
This section contains the following topics:
• “Navigating pages of items in a grid” on page 574
• “Viewing information that is truncated in a grid cell” on page 576
• “Resizing columns in a grid” on page 576
• “Sorting items in a grid by column” on page 577
• “Moving columns in a grid” on page 578
• “Adding and removing columns in a grid” on page 579
• “Adding and editing filters in a grid” on page 580
• “Removing a filter from a grid column” on page 582
• “Viewing all filters in a grid” on page 583
• “Removing all filters from a grid” on page 583
• “Grouping items in a grid by columns” on page 584
• “Restoring a grid layout” on page 587
The list displays pages in groups, up to three pages per group. For example,
pages 1 to 3, pages 4 to 6, pages 7 to 9, and so on.
If more pages exist after the currently-shown group of pages, a More Page
option (...) is displayed at the top of the list. Click this More Pages option to
go to the first page in the next group of pages. For example, if you are on
pages 1, 2, or 3, click the More Pages option at the top of the list to go to
page 4.
If more pages exist before the currently-shown group of pages, a More Page
option (...) is displayed at the bottom of the list. Click this More Pages option
to go to the last page in the previous group o pages. For example, if you are
• In the bottom right corner of the grid, an item indicator displays the range of
items being viewed, along with the total number of items. For example:
You can view the full value of the truncated information by pausing the pointer on
the truncated information. When you pause the pointer on the truncated
information, a pop-up window appears that displays the full value of the information.
The following figure shows an example of the pop-up window.
Note:
If you pause the pointer over a link, the pop-up window displays the action that
will occur if you click the link.
Figure 13: Pop-up window showing the full value of truncated information
You can also resize columns in the grid so that fewer information will be truncated.
See “Resizing columns in a grid” on page 576 for details.
You can resize the column by clicking and holding the mouse, then dragging it left or
right to shrink or expand the width of the column.
By default, grids are sorted by values in the left-most column in ascending order.
To move a column
1 Click and hold the heading of the column you want to move.
2 For each column you want to display in the grid, select that column from the list.
By default, all columns are selected.
3 For each column you want to remove from the grid, deselect that column from
the list.
The View Filters pop-up window appears. The pop-up window lists all the filters
active in the grid.
The preceding example shows a grid that groups items the following order:
a Items are first grouped by Country Code, grouping items their country of
origin. Each country will have its own group, with all items from that country
under that group.
b Under each country group, items are then grouped by Status. All items with
the same status are grouped together, with each status forming a different
group.
c Under Status, items are further grouped by Assurance Level, grouping items
together by their assurance level.
You can show and hide a group by clicking the small black arrow next to the
group.
4 When using multiple groups, groups are ordered from left to right in the Column
Groups bar. You can change the order of the groups by dragging the name of the
column left or right. Small up and down arrows indicate the column’s new group
order.
5 To remove a group, click the X on the group column you want to remove.
Each row in the grid contains information about a CRL. Each row contains the
following columns:
• CN displays the distinguished name (DN) of the CSCA that issued the CRL.
This DN forms part of the common name (CN) of the CRL in the National
PKD.
To view detailed information about the CRL, click the DN. See “Viewing
detailed information about a CRL” on page 627 for information about
viewing CRLs.
• DN displays the distinguished name (DN) of the CRL in the National PKD.
• Status displays the status of the CRL.
The value OK indicates that all attribute signatures are valid and the entry in
the directory is not corrupt.
The value ERROR indicates either the entry in the directory is corrupt or the
NPKD services cannot verify the signature on the attributes. An error string
explaining the reason for the error will be displayed.
• Assurance Level displays the assurance level of the certificate.
The assurance level, from highest to lowest, can be one of: High Assurance,
Minor Defect, or Low Assurance.
Each row in the grid contains information about a master list. Each row contains
the following columns:
• DN displays the distinguished name (DN) of the CSCA that signed the master
list.
To view detailed information about the master list, click the DN. See
“Viewing detailed information about a master list” on page 641 for
information about viewing master lists.
• Status displays the status of the master list.
The value OK indicates that all attribute signatures are valid and the entry in
the directory is not corrupt.
The value ERROR indicates either the entry in the directory is corrupt or the
NPKD services cannot verify the signature on the attributes. An error string
explaining the reason for the error will be displayed.
• Assurance Level displays the assurance level of the master list.
The assurance level, from highest to lowest, can be one of: High Assurance,
Minor Defect, or Low Assurance.
Click the assurance level for a master list to view the results of all assurance
level tests performed on the master list, along with some additional master
list information.
• Publish displays whether the master list is available for publishing to DV Web
Service clients.
False indicates that the master list is not available to be published to clients.
True indicates that the master list is available to be published to clients.
You can hide or show the list of Document Signer certificates. You can hide the
list of Document Signer certificates by clicking Hide Certificates. You can show
the list of Document Signer certificates by clicking Show Certificates.
Each row in the grid contains information about a Document Signer certificate.
Each row contains the following columns:
• SN displays the serial number of the certificate in hexadecimal format.
To view detailed information about the Document Signer certificate, click the
serial number. See “Viewing detailed information about a Document Signer
certificate” on page 613 for information about viewing Document Signer
certificates.
• CN displays the distinguished name (DN) of the CSCA that issued the
Document Signer certificate. This DN forms part of the common name (CN)
of the Document Signer certificate in the National PKD.
• DN displays the distinguished name (DN) of the Document Signer certificate
in the National PKD.
• Status displays the status of the Document Signer certificate.
6 To immediately recalculate assurance levels on all CSCA materials for the country,
click Recalculate Assurance Levels.
By default, NPKD automatically recalculates assurance levels every 24 hours (see
“Configuring NPKD services settings” on page 710).
3 From the Country Name column, click the name of the country that you want to
use the global assurance policy.
• Country displays the country code and name of the originating country.
To view detailed information about the country, click the name of the
country. See “Viewing detailed information about a country in the National
PKD” on page 596 for information about viewing countries.
• SN displays the serial number of the certificate in hexadecimal format.
• Issuer DN displays the distinguished name (DN) of the CSCA that issued the
Document Signer certificate.
• Subject DN displays the distinguished name (DN) of the Document Signer
certificate.
• Serial Number displays the serial number of the Document Signer certificate
in integer format
• Not Valid Before displays the issue date of the certificate.
• Not Valid After displays the expiry date of the certificate.
6 CSCA Material Details displays information about the Document Signer
certificate in the National PKD.
You can hide or show the test results. You can hide the test results by clicking
Hide Test Results. You can show the test results by clicking Show Test Results.
Note:
If automatic imports from PKD Reader are enabled (see “Configuring NPKD
services settings” on page 710), materials you remove from the National PKD
may be re-added by PKD Reader during a scheduled import operation. To
prevent PKD Reader from re-adding materials you remove from the National
PKD, you must disable automatic imports from PKD Reader. You can then
manually import materials from PKD Reader (see “Importing CSCA materials
from PKD Reader into the National PKD” on page 696). Manually importing
materials from PKD Reader allows you to review the materials in PKD Reader and
remove any unwanted materials before uploading them into the National PKD.
3 To remove one or more Document Signer certificates from the DS Certificate List:
b Review the Document Signer certificate details and verify that it is the
Document Signer certificate you want to remove from the National PKD.
c Click Remove DS certificate.
The Document Signer certificate is removed from the National PKD and a
success message appears.
• Country displays the name and country code of the originating country.
To view detailed information about the country, click the name of the
country. See “Viewing detailed information about a country in the National
PKD” on page 596 for information about viewing countries.
• CN displays the distinguished name (DN) of the CSCA that issued the CRL.
• DN displays the distinguished name (DN) of the CRL in the National PKD.
• Issuer DN displays the distinguished name (DN) of the CSCA that issued the
CRL.
• Last Update displays the date and time the CRL was last updated.
• Next Update displays the date and time the CRL is scheduled to be updated.
6 CSCA Material Details displays information about the CRL in the National PKD.
You can hide or show the test results. You can hide the test results by clicking
Hide Test Results. You can show the test results by clicking Show Test Results.
8 Number of revoked certificates displays the number of revoked certificates in the
CRL, along with information about each certificate in the CRL.
Note:
If automatic imports from PKD Reader are enabled (see “Configuring NPKD
services settings” on page 710), materials you remove from the National PKD
may be re-added by PKD Reader during a scheduled import operation. To
prevent PKD Reader from re-adding materials you remove from the National
PKD, you must disable automatic imports from PKD Reader. You can then
manually import materials from PKD Reader (see “Importing CSCA materials
from PKD Reader into the National PKD” on page 696). Manually importing
materials from PKD Reader allows you to review the materials in PKD Reader and
remove any unwanted materials before uploading them into the National PKD.
b Review the CRL details and verify that it is the CRL you want to remove from
the National PKD.
c Click Remove CRL.
The CRL is removed from the National PKD and a success message appears.
The Master Lists List displays a list of master lists in the National PKD. For
information about this page, see “Listing master lists in the National PKD” on
page 639.
3 In the CN column, click the distinguished name of the master list you want to
view.
Detailed information about the master list appears on a new page.
4 Master List Overview displays a brief overview about the master list.
• Country displays the name and country code of the originating country.
• Signer DN displays the distinguished name (DN) of the CSCA that signed the
master list.
• Signing Time displays the date and time that the CSCA signed the master list.
6 CSCA Material Details displays information about the master list in the National
PKD.
You can hide or show the test results. You can hide the test results by clicking
Hide Test Results. You can show the test results by clicking Show Test Results.
You can hide or show the list of CSCA certificates. You can hide the list by clicking
Hide CSCA Certificates. You can show the list by clicking Show CSCA
Certificates.
Each row contains information about a CSCA certificate in the master list. Each
row contains the following columns:
• Country Code displays the country code of the originating country.
• Country Name displays the name of the originating country.
• Serial Number displays the serial number of the CSCA certificate in integer
format.
• Not Valid Before displays the issue date of the CSCA certificate.
• Not Valid After displays the expiry date of the CSCA certificate.
To view the assurance level information about a master list in the National
PKD
1 Log in to NPKD Administration (see “Logging in to NPKD Administration” on
page 572).
The Master Lists List displays a list of master lists in the National PKD. For
information about this page, see “Listing master lists in the National PKD” on
page 639.
3 In the Assurance Level column, click the assurance level of the master list you
want to view.
An Assurance Level Details page appears for the master list.
4 Master List Overview displays a brief overview about the master list.
• Country displays the name and country code of the originating country.
To view detailed information about the country, click the name of the
country. See “Viewing detailed information about a country in the National
PKD” on page 596 for information about viewing countries.
• DN displays the distinguished name (DN) of the CSCA that signed the master
list.
To view detailed information about the master list, click the DN. See
“Viewing detailed information about a master list” on page 641 for
information about viewing detailed information about a master list.
3 From the CN column, click the distinguished name of the CSCA that signed the
master list you want to export.
Note:
If automatic imports from PKD Reader are enabled (see “Configuring NPKD
services settings” on page 710), materials you remove from the National PKD
may be re-added by PKD Reader during a scheduled import operation. To
prevent PKD Reader from re-adding materials you remove from the National
PKD, you must disable automatic imports from PKD Reader. You can then
manually import materials from PKD Reader (see “Importing CSCA materials
from PKD Reader into the National PKD” on page 696). Manually importing
materials from PKD Reader allows you to review the materials in PKD Reader and
remove any unwanted materials before uploading them into the National PKD.
The Trusted Anchors List displays a list of CSCA certificates in the National PKD.
For information about this page, see “Listing trust anchors in the National PKD”
on page 655.
• Issuer DN displays the distinguished name (DN) of the entity that issued the
CSCA certificate. (CSCA certificates are self-signed root certificates. The
Issuer DN and subject DN of CSCA certificates should be the same.)
• Subject DN displays the distinguished name (DN) of the CSCA certificate.
• Serial Number displays the serial number of the certificate in integer format.
• Not Valid Before displays the issue date of the certificate.
• Not Valid After displays the expiry date of the certificate.
You can hide or show the test results. You can hide the test results by clicking
Hide Test Results. You can show the test results by clicking Show Test Results.
3 To remove one or more CSCA certificates from the Trusted Anchors List:
a To select all CSCA certificates on the page, click Select All.
When you click Select All to select all CSCA certificates, the button changes
to Deselect All. Click Deselect All, to deselect all the CSCA certificates.
b To select specific CSCA certificates, click the Select Certificates check box for
each CSCA certificate.
Clicking a check box that is already selected will deselect the CSCA
certificate.
c Click Remove Trusted Certificates.
A dialog box appears, asking you to confirm that you want to remove the
CSCA certificates from the National PKD.
d Click OK to confirm the operation and remove the CSCA certificates from the
National PKD.
b Review the CSCA certificate details and verify that it is the CSCA certificate
you want to remove from the National PKD.
c Click Remove CSCA Certificate.
The CSCA certificate is removed from the National PKD and a success
message appears.
a Review the information provided to determine that you want to import the
CSCA certificate into the National PKD:
– Issuer DN displays the distinguished name (DN) of the CSCA certificate.
– Serial Number displays the serial number of the certificate.
– Not Valid Before displays the issue date of the certificate.
– Not Valid After displays the expiry date of the certificate.
– Assurance Level displays the assurance level of the certificate.
The assurance level, from highest to lowest, can be one of: High
Assurance, Minor Defect, or Low Assurance.
a Review the information provided to determine that you want to import the
Document Signer certificate into the National PKD:
4 To preview the materials before importing them into the National PKD, select
Preview materials before uploading.
Previewing the materials allows you to display information about all materials to
import. The preview allows you to inspect the contents and optionally remove
some of the materials before importing them into the National PKD.
5 To import the materials using a background import thread, click Import in
background.
Using a background import thread is recommended for large import operations.
Typically, there is one CRL and one master list per country, but there could be a
very large number of Document Signer certificates. The PKD Status tab can
display information about how many materials PKD Reader has downloaded
from the ICAO PKD (see “Viewing the status of PKD Reader” on page 693).
6 Click Browse to locate and select the LDIF file.
7 Click Submit.
Each row in the grid contains information about a CRL. Each row contains
the following columns:
– Country Code displays the country code of the originating country.
– Country displays the name of the originating country.
– Issuer DN displays the distinguished name (DN) of the CSCA that issued
the certificate.
– Last Update displays the date and time the CRL was last updated.
– Next Update displays the date and time the CRL is scheduled to be
updated.
– Source displays the source of the CRL.
The value Manual indicates that the CRL was manually imported by an
NPKD administrator.
The value ICAO indicates that the CRL was downloaded from the ICAO
PKD.
The value Discovered indicates that the CRL was discovered and
downloaded by NPKD from a URL in A Document Signer certificate’s CDP
(CRL distribution point).
By default, the NPKD services can automatically discover and download
CRLs when importing Document Signer certificates and a URL is found in
a certificate’s CDP. You can disable automatic discovery of CRLs by editing
the NPKD settings (see “Configuring NPKD services settings” on
page 710).
– Assurance Level displays the assurance level of the CRL.
The assurance level, from highest to lowest, can be one of: High
Assurance, Minor Defect, or Low Assurance.
To view the results or all assurance level tests performed, click the arrow
next to the country code.
– Revoked displays the number of revoked certificates in the CRL.
Each row in the grid contains information about a master list. Each row
contains the following columns:
– Country Code displays the country code of the originating country.
– Country displays the name of the originating country.
– Signer DN displays the distinguished name (DN) of the CSCA that signed
the master list.
– Signing Time displays the date and time the master list was signed.
– Assurance Level displays the assurance level of the certificate.
The assurance level, from highest to lowest, can be one of: High
Assurance, Minor Defect, or Low Assurance.
To view the results or all assurance level tests performed, click the arrow
next to the country code.
– CSCA Certificates displays the number of CSCA certificates in the master
list.
– Actions displays a list of available actions you can perform on the master
list.
To remove the master list from the list, click Remove Master List. The
master list will not be imported into the National PKD.
d To import the materials, click Import CSCA Materials.
9 The import process can take up to several minutes to complete.
• If you chose to import the materials using a background thread, the page will
display the following message:
4 To preview the Document Signer certificates before importing them into the
National PKD, select Preview materials before uploading.
Previewing the materials allows you to display information about all materials to
import. The preview allows you to inspect the contents and optionally remove
some of the materials before importing them into the National PKD.
5 Click Browse to locate and select the one or more Document Signer certificate
files.
6 Click Submit.
NPKD will not upload files it does not recognize as Document Signer certificates.
If no Document Signer certificates were found in the selected files, NPKD
Administration displays an error message.
a The DS Certificate List grid contains information about the Document Signer
certificates.
Each row contains information about a Document Signer certificate. Each
row contains the following columns:
– Country Code displays the country code of the originating country.
– Country displays the name of the originating country.
– Serial Number displays the serial number of the certificate.
– Issuer DN displays the distinguished name (DN) of the CSCA that issued
the certificate.
– Subject DN the distinguished name (DN) of the Document Signer
certificate.
– Not Valid Before displays the issue date of the certificate.
– Not Valid After displays the expiry date of the certificate.
– Assurance Level displays the assurance level of the certificate.
The assurance level, from highest to lowest, can be one of: High
Assurance, Minor Defect, or Low Assurance.
To view the results or all assurance level tests performed, click the arrow
next to the country code.
– Actions displays a list of available actions you can perform on the
certificate.
To remove the Document Signer certificate from the list, click Remove
Certificate. The certificate will not be imported into the National PKD.
b To import the Document Signer certificates into the National PKD, click
Import DS Certificates.
4 To preview the CSCA certificates before importing them into the National PKD,
select Preview materials before uploading.
Previewing the materials allows you to display information about all materials to
import. The preview allows you to inspect the contents and optionally remove
some of the materials before importing them into the National PKD.
5 Click Browse to locate and select the one or more CSCA certificate files.
6 Click Submit.
NPKD will not upload files it does not recognize as CSCA certificates. If no CSCA
certificates were found in the selected files, NPKD Administration displays an
error message.
4 To preview the CRLs before importing them into the National PKD, select
Preview materials before uploading.
Previewing the materials allows you to display information about all materials to
import. The preview allows you to inspect the contents and optionally remove
some of the materials before importing them into the National PKD.
5 Click Browse to locate and select the one or more CRL files.
6 Click Submit.
NPKD will not upload files it does not recognize as CRLs. If no CRLs were found
in the selected files, NPKD Administration displays an error message.
4 To preview the master lists before importing them into the National PKD, select
Preview materials before uploading.
a The Master Lists List grid contains information about the master lists.
Each row in the grid contains information about a master list. Each row
contains the following columns:
– Country Code displays the country code of the originating country.
– Country displays the name of the originating country.
– Signer DN displays the distinguished name (DN) of the CSCA that signed
the master list.
– Signing Time displays the date and time the master list was signed.
– Assurance Level displays the assurance level of the certificate.
The assurance level, from highest to lowest, can be one of: High
Assurance, Minor Defect, or Low Assurance.
To view the results or all assurance level tests performed, click the arrow
next to the country code.
– CSCA Certificates displays the number of CSCA certificates in the master
list.
Note:
The PKD Reader page appears in NPKD Administration only if you enable
connections to PKD Reader during installation.
If you enabled a connection to PKD Reader during installation, you can manage the
PKD Reader from the NPKD Administration interface.
From NPKD Administration, you can view the status of PKD Reader, import CSCA
materials from PKD Reader into the National PKD, edit some PKD Reader settings,
and download CSCA materials from the ICAO PKD into PKD Reader.
This section contain the following topics:
• “Viewing the status of PKD Reader” on page 693
• “Importing CSCA materials from PKD Reader into the National PKD” on
page 696
• “Editing PKD Reader settings” on page 700
• “Downloading CSCA materials from ICAO PKD into PKD Reader” on
page 702
5 If the NPKD services can successfully display the status of PKD Reader:
a ICAO Credentials Status displays information about the status of the PKD
Reader’s connection to the ICAO PKD credential.
– Last successful download displays the date and time of PKD Reader’s last
successful download from the ICAO PKD.
– Time elapsed since last successful download displays the number of hours
since PKD Reader’s last successful download from the ICAO PKD.
– Next scheduled download displays the next date and time that PKD Reader
is scheduled to download materials from the ICAO PKD.
– Downloaded CRLs displays the current number of CRLs downloaded from
the ICAO PKD.
To import CSCA materials from PKD Reader into the National PKD
1 Log in to NPKD Administration (see “Logging in to NPKD Administration” on
page 572).
2 Click PKD Reader.
The PKD Reader page appears.
4 Under Import CSCA materials from the PKD Reader repository to NPKD:
• To import only certificate revocation lists (CRLs), click CRLs.
• To import all CSCA materials (CRLs, Document Signer certificates, and
master lists), click CSCA Materials.
• To import only Document Signer certificates, click DS Certificates.
• To import only master lists, click Master Lists.
5 To preview the materials before importing them into the National PKD, select
Preview materials before uploading.
Previewing the materials allows you to display information about all materials to
import. The preview allows you to inspect the contents and optionally remove
some of the materials before importing them into the National PKD.
6 To import the materials using a background import thread, click Import in
background.
Using a background import thread is recommended for large import operations.
Typically, there is one CRL and one master list per country, but there could be a
very large number of Document Signer certificates. The PKD Status tab can
display information about how many materials PKD Reader has downloaded
from the ICAO PKD (see “Viewing the status of PKD Reader” on page 693).
7 Click Submit.
a If importing master lists or all CSCA materials, the DS Certificate List grid
contains a list of Document Signer certificates in PKD Reader that you can
import into the National PKD.
Each row in the grid contains information about a Document Signer
certificate. Each row contains the following columns:
– Country Code displays the country code of the originating country.
– Country displays the name of the originating country.
– Serial Number displays the serial number of the certificate.
– Issuer DN displays the distinguished name (DN) of the CSCA that issued
the certificate.
– Subject DN the distinguished name (DN) of the Document Signer
certificate.
– Not Valid Before displays the issue date of the certificate.
– Not Valid After displays the expiry date of the certificate.
– Assurance Level displays the assurance level of the certificate.
The assurance level, from highest to lowest, can be one of: High
Assurance, Minor Defect, or Low Assurance.
– Actions displays a list of available actions you can perform on the
certificate.
To remove the Document Signer certificate from the list, click Remove
Certificate. The certificate will not be imported into the National PKD.
b If importing CRLs or all CSCA materials, the CRLs List grid contains a list of
CRLs in PKD Reader that you can import into the National PKD.
Each row in the grid contains information about a CRL. Each row contains
the following columns:
– Country Code displays the country code of the originating country.
4 For Number of hours between periodic PKD downloads, enter the frequency (in
hours) that PKD Reader will attempt to download CSCA materials from the ICAO
PKD.
By default, PKD Reader attempts to download materials from the ICAO PKD
every 24 hours.
5 For Number of attempts to establish a PKD connection before reporting the
failure field, enter the number of attempts PKD Reader will take to establish a
connection with the ICAO PKD before reporting a failure.
By default, PKD Reader will attempt to connect to the ICAO PKD three times
before reporting a failure.
6 For PKD LDAP page size, enter the number of entries per page returned from an
LDAP query. If 0, PKD Reader will not use LDAP paging.
The ICAO PKD can contain thousands of master lists, Document Signer
certificates, and CRLs. During PKD Reader startup and periodically thereafter the
service populates a cache of CSCA materials from the ICAO PKD. By default,
when downloading CSCA materials, the PKD Reader will attempt to download
all CSCA materials at once in one LDAP search query. If the LDAP server search
limit is ever reached, not all CSCA materials will be returned.
To ensure that all CSCA materials will be returned from an LDAP search query,
you can configure the LDAP page size the PKD Reader will use when searching
the ICAO PKD and obtaining results. The LDAP page size controls how many
entries per page are returned from an LDAP query; the directory will continue to
return pages of search results until all results are returned.
The default value is 1000.
7 Click Submit.
Note:
Downloading CSCA materials from the ICAO PKD only downloads the materials
into the PKD Reader; it does not import the materials into the National PKD. For
information about importing CSCA materials from the PKD Reader into the
National PKD, see “Importing CSCA materials from PKD Reader into the National
PKD” on page 696.
To download CSCA materials from the ICAO PKD into PKD Reader
1 Log in to NPKD Administration (see “Logging in to NPKD Administration” on
page 572).
2 Click PKD Reader.
The PKD Reader page appears.
3 Click the Download CSCA Materials tab.
4 Click Download.
The download process can take up to several minutes to complete. If the
download is successful, a success message appears, along with a grid that
displays how many of CRLs, Document Signer certificates, and master lists were
downloaded. For example:
3 If you want to restore the global assurance policy settings to the factory default
values, click Restore Default Global Policy Settings.
4 Under the Global Policy section:
a For Name, enter a friendly name for the global policy settings. The default
value is default.
3 For Log Level, select the level of detail to write in the NPKD services logs.
The logging level can be one of (in increasing severity) Trace, Debug,
Information, Warning, Error, Alert, or Fatal. This sets the lowest level of message
to show. For example, Error provides messages of Error, Alert and Fatal status.
Note:
The PKD Reader Auto-import Enabled option appears only if you enabled a
connection with PKD Reader during installation.
If automatic imports from PKD Reader are enabled, it will refresh the materials in
the National PKD. Refreshing the materials may override any modifications that
administrators made between the scheduled imports. For example, PKD may
re-add materials that an administrator previously removed from the National
PKD.
To have full control over materials imported from PKD Reader, you must disable
automatic imports from PKD Reader. You can then manually import materials
from PKD Reader (see “Importing CSCA materials from PKD Reader into the
National PKD” on page 696). Manually importing materials from PKD Reader
allows you to review the materials in PKD Reader and remove any unwanted
materials before uploading them into the National PKD.
• To enable automatic imports from PKD Reader, select True. Additional
settings appear:
715
Customizing the NPKD Administration
interface
When customizing the NPKD Administration interface, you can make several changes
to reflect the corporate identity of your company. This section provides you with
details about how to apply those changes.
Note:
Any changes you make may require you to complete manual tasks when you
upgrade to the next version of Administration Services. It is recommended that
you keep track of the changes you make.
common.css Defines the styles for elements common to all pages in the
interface, such as the title bar or columns.
entrust-cloud-foyer-2.css Defines the styles for elements common to all pages in the
interface, such as the title bar or columns.
jquery-ui-1.9.2.custom.css Stylesheet for jQuery UI. See the jQuery UI documentation for
information about this file.
jquery-ui-1.9.2.custom.min. Stylesheet for jQuery UI. See the jQuery UI documentation for
css information about this file.
kendo.blueopal.min.css Stylesheet for the Blue Opal theme in Kendo UI. See the Kendo
UI documentation for information about this file.
kendo.common.min.css Common stylesheet for the Kendo UI. See the Kendo UI
documentation for information about this file.
kendo.default.min.css Stylesheet for the default theme in Kendo UI. This file is not
used by NPKD Administration.
Only someone with a good knowledge of CSS should edit the CSS files. When editing
the CSS files, take care not to make any changes that can break the NPKD
Administration interface. Always back up a file before making any edits to the file.
Note:
Do not remove the en folder. It is the default locale.
721
Localization overview
Localization is the process of modifying or adapting a software application to fit the
requirements of a particular locale. Localization includes translating application text
to conform with a specific locale, and it might also include modifying the date, time,
and currency formats.
About locales
A locale is specific geographic, political, or cultural region. Locales are generally
specified using a language code combined with a country code.
Language codes are two-letter codes defined by ISO 639 Code for the representation
of the names of languages. By convention, language codes are shown in lower case.
Some common examples include:
• en—English
• fr—French
• ja—Japanese
• ko—Korean
• zh—simplified and traditional Chinese
Country codes are two-letter codes defined by ISO 3166 Country Codes. By
convention, country codes appear in upper case. Some common examples include:
• CA—Canada
• US—United States
• GB—United Kingdom (Great Britain)
• JP—Japan
• CN—China
Defining locales
Locales are generally specified using a combination of a language code and a country
code. The most common interpretation of this standard is the two-letter language
code followed by the two-letter country code, for example:
• fr_CA—French (Canada)
• en_US—English (United States)
• en_GB—English (United Kingdom)
• ja_JP—Japanese (Japan)
Table 40: NPKD Administration files to translate for your new locale
npkd-messages_<locale>.properti <AS-install>\services\npkd\npkd\webapp\
es WEB-INF\classes
Where <locale> is the new locale This file is located on the server hosting the application
you added to NPKD Administration. server components.
This file contains strings used in NPKD Administration.
This section provides instructions for installing a Master List Signer Services CA,
installing and configuring Administration Services, and administering master lists.
This section contains the following chapters:
• “Installing a Master List Signer Services CA” on page 733
• “Deploying the Master List Signer services” on page 737
• “Configuring the Master List Signer services” on page 785
• “Administering master lists” on page 797
• “Customizing MLS Administration” on page 875
• “Localizing MLS Administration” on page 881
• “MLS Web Service API reference” on page 889
731
732 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0
Report any errors or omissions
26
Note:
Do not confuse the Master List Signer Services CA with a Country Signing
Certification Authority (CSCA). The CSCA acts as a root of trust for e-passports
issued within its own country. The CSCA issues a credential to the Master List
Signer for signing master lists of trusted foreign CSCAs. The Master List Signer
Services CA provides profiles required to run the Master List Signer services
provided by Administration Services. For information about installing and
configuring Security Manager as a CSCA, see “Installing a Country Signing CA”
on page 95.
The Master List Signer Services CA can be the CSCA or any other CA in an e-passport
architecture.
This chapter includes the following sections:
• “Installing and configuring Security Manager” on page 734
• “Post-configuration steps” on page 735
733
Installing and configuring Security Manager
Before installing Security Manager, ensure that you read all preinstallation
information described in the Security Manager 8.3 Installation Guide. Ensure that
you install and configure a supported LDAP directory and database as described in
the Security Manager 8.3 Installation Guide.
When using the countryName (c=) directory attribute to specify a two-letter country
code, the two-letter country code must be in uppercase characters to meet the ISO
3166 standard.
Note:
Microsoft Active Directory is not supported for a Master List Signer Services CA.
Install and configure, and initialize Security Manager according to the instructions in
the Security Manager 8.3 Installation Guide. After installing and configuring Security
Manager, proceed to “Post-configuration steps” on page 735.
737
• “Configuring Master List Server authentication to a directory without
anonymous access” on page 774
• “Configuring Master List Signer administrators for PKCS #12 enrollment” on
page 776
• “Creating an ePassport Auditor certificate type” on page 777
• “Creating Master List Signer administrators” on page 779
• “Testing MLS Administration” on page 784
To create a user entry for the Master List Server profile using Security
Manager Administration
1 Log in to Security Manager Administration for the Master List Signer Services CA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.
c In the Add to drop-down list, select the searchbase where you want to add
the user entry (for example, select CA Domain Searchbase to add the user
entry to the default searchbase).
d Ensure that the Create profile check box is not checked.
4 Click the General tab.
5 From the Role drop-down list, select Server Login.
To create a user entry for the Master List Client profile using Security Manager
Administration
1 Log in to Security Manager Administration for the Master List Signer Services CA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.
c In the Add to drop-down list, select the searchbase where you want to add
the user entry (for example, select CA Domain Searchbase to add the user
entry to the default searchbase).
4 Click the General tab.
5 From the Role drop-down list, select Server Login.
6 Select the Certificate Info tab, and then complete the following:
This page lists all configured services (if any). Click Next to add a new service.
a In the SSL/TLS Port Number for MLS Web Service field, enter the SSL port
number for the MLS Web Service (by default 443 or 10443).
b In the SSL/TLS Port Number for MLS Administration field, enter the SSL port
number for MLS Administration (by default 11443).
c Click Next.
a In the text field, enter the full path and file name of the entrust.ini file
from the Entrust CA that issued the Master List Server profile, or click Choose
to locate the file.
b Click Next to continue.
a In the Enter the location of the MLS Server Profile field, click Choose to
locate and select the Master List Server profile (EPF file).
b In the Enter the Password to login to your MLS Server Profile field, enter the
password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the Master List Server profile.
b In the Enter the Password to login to your MLS Server Profile field, enter the
password for the profile.
c Click Next.
a In the Enter the location of the MLS Signer Profile field, click Choose to
locate and select the Master List Signer profile (EPF file).
b In the Enter the Password to login to your MLS Signer Profile field, enter the
password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the Master List Signer profile.
b In the Enter the Password to login to your MLS Signer Profile field, enter the
password for the profile.
c Click Next.
Proceed to Step 20 on page 767.
a In the Enter the location of the MLS Signer PKCS 12 Profile field, enter the
full path and file name of the Master List Signer PKCS #12 file (PFX or P12
file), or click Choose to locate the file.
b In the Enter the Password login to your MLS Signer PKCS 12 Profile field,
enter the password for the file.
c In the Enter the Location of the CSCA Root Certificate File field, enter the
full path and file name of the CSCA certificate file, or click Choose to locate
the file.
d Click Next to continue.
Proceed to Step 20 on page 767.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the Master List Signer profile.
b In the Enter the Password to login to your MLS Signer Token Profile field,
enter the password for the profile.
c In the Enter the Location of the CSCA Root Certificate File field, enter the
full path and file name of the CSCA certificate file, or click Choose to locate
the file.
d Click Next to continue.
The PKD Writer Web Service records and maintains a history of the materials that
have been uploaded to the ICAO PKD. MLS Administration can connect to the
PKD Writer Web Service to display the status of CSCA materials uploaded to the
ICAO PKD.
a To enable the GUI extension in MLS Administration to display the status of
CSCA materials uploaded to the ICAO PKD, select Enable the display of the
CSCA materials upload status. By default, this option is selected.
To disable the GUI extension in MLS Administration, deselect Enable the
display of the CSCA materials upload status.
b If you selected Enable the display of the CSCA materials upload status:
– In the PKD Writer Web Service URL field, enter the URL for the PKD Writer
Web Service.
The URL for the PKD Writer Web Service is https://<server>:<port>/
pkdwriter/services/PkdwwsService.
where <server> is the host name or IPv4 address of the server hosting the
PKD Writer Web Service, and <port> is the SSL port for the PKD Writer
Web Service (by default 443 or 13443).
a To use the service you just installed, you must restart the Administration
Services application server.
– To start the service automatically after exiting the installer, select Start the
service automatically. By default, this option is already selected.
– To not start the service after exiting the installer, deselect Start the service
automatically. You must manually restart Administration Services to use the
new service.
b Click Next.
You can find the URLs to all installed services in the <AS-install>/services.txt
file.
Note:
The ePassport Auditor (ent_epass_auditor) certificate type also grants read
access to CSCA materials in the National PKD, if the CSCA issues credentials to
both the NPKD services and Master List Signer services. You may have already
created this certificate type for the NPKD services in “Creating certificate types
for NPKD services” on page 471.
To create a user entry for a Master List Signer administrator using Security
Manager Administration
1 Log in to Security Manager Administration for the Master List Signer Services CA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.
c In the Add to drop-down list, select the searchbase where you want to add
the user entry (for example, select CA Domain Searchbase to add the user
entry to the default searchbase).
d Ensure that the Create profile check box is not checked.
4 Click the General tab.
5 From the Role drop-down list, select Master List Signer Administrator.
6 Select the Certificate Info tab, and then complete the following:
a In the Category drop-down list, select Enterprise.
b Under Certificate Type:
To create a user entry for a Master List Signer administrator using the User
Management Service
1 Log in to the User Management Service for the Master List Signer Services CA.
2 Click the Accounts tab.
3 Click the Create Account tab.
4 In the User Type drop-down list, select a user type.
User types determine which attributes and object classes are included in the user’s
distinguished name.
5 In the Certificate Type drop-down list:
• For the administrator to perform all operations, select Enterprise - ePassport
- Master List Signer Administrator.
• For the administrator to only view and export data, select Enterprise -
ePassport Auditor. You must have created this certificate type in “Creating
an ePassport Auditor certificate type” on page 777.
6 In the available text fields, enter the name that will become the common name
of the user entry. An asterisk (*) appears beside required fields. You must enter
information into all fields marked with asterisks.
7 From the Role drop-down list, select Master List Signer Administrator.
To create the Master List Signer administrator credentials as a PKCS #12 security
store, the client policy (user policy) assigned to the role must allow PKCS #12
export. For details, see “Configuring Master List Signer administrators for PKCS
#12 enrollment” on page 776.
8 Complete the rest of the information as required. See the Administration Services
User Administration Guide for more information.
9 Click Submit.
Note:
The security dialog box may appear behind the browser window. Click the dialog
box’s window icon in the taskbar to bring the dialog box to the front.
785
Configuring the Master List Signer services logs
The Master List Signer services—MLS Administration and MLS Web Service—share a
log file. This log file contains messages related to the operation of the Master List
Signer services.
Administration Services allows you to customize the Master List Signer services log
file settings. You can configure the following log settings:
• the log file name and location
• the level of messages recorded in the file
• the maximum size the log file can reach before a new log file is created
• the number of old log files to retain
Setting Description
<Level> Sets the level of detail for the logs.
The logging level can be one of (in increasing severity) TRACE, DEBUG,
INFO, WARNING, ERROR, ALERT, or FATAL. This sets the lowest level of
message to show. For example, ERROR provides messages of ERROR,
ALERT and FATAL status.
Default: INFO
<FileName> Sets the name (including path) of the log file.
Default: <AS-install>\services\mls\mls\logs\mls_mls.log
<FileSize> Sets the maximum size of a log file, in bytes.
Default: 1000000
Do not set the value to 0, or Apache Tomcat will fail to start.
Setting Description
<Backups> Sets the maximum number of log files to keep. After the last log file
reaches the maximum size, the first log file is overwritten.
Default: 10
797
Logging in to MLS Administration
MLS Administration provides an interface for Master List Signer administrators to
administer their country’s Master List Signer. You are required to log in to the MLS
Administration interface with a certificate stored in your Web browser (see “Creating
Master List Signer administrators” on page 779).
Note:
The security dialog box may appear behind the browser window. Click the dialog
box’s window icon in the taskbar to bring the dialog box to the front.
On this page:
• The Assurance Level pane displays the current assurance level of the master
list, and the expiry date of the assurance level.
The assurance level, from highest to lowest, can be one of: High Assurance,
Minor Defect, or Low Assurance.
Note:
If you are using the current domestic master list to create a new master list, the
current domestic CA certificate will not appear under Domestic Certificates if a
CA key update occurred after the current master list was created. You do not
need to add the current domestic CA certificate to the master list; the current
domestic CA certificate will be added automatically when you save the master list
(click Sign and Save or Save as Draft).
• The Foreign Certificates pane lists all foreign CSCA certificates in the master
list.
If you are creating a new domestic master list, no certificates appear under
Foreign Certificates.
• The Test Results pane displays the results of the assurance policy tests that
Administration Services performed on the master list.
If you click a different tab while editing the master list, Administration Services
will save a copy of the master list as you work. Administration Services will keep
a copy of the master list until you save the master list, cancel the edit session, or
close your browser.
You can cancel the edit at any time by clicking Cancel Edit.
8 You can save a draft of the master list at any time by clicking Save as Draft.
By default, draft master lists are saved to the following location on the server
hosting the Master List Signer services:
<AS-install>\mls\mls\domestic-master-lists
The master list is saved with the file name <country_code>_YYMMDDhhmmssZ.der,
where:
• <country_code> is the country code of your country.
• YYMMDDhhmmss is the date and time that the draft master list was saved.
For example, MM_100630190114Z.der.
9 To add a foreign CSCA certificate from a file:
a In the Add Certificate pane, select From a file containing a single certificate,
and then click Browse to select the certificate file.
On this page:
– Certificate Details displays information about the CSCA certificate.
The Assurance Level was calculated based on the results of the assurance
policy tests. The assurance level, from highest to lowest, can be one of:
High Assurance, Minor Defect, or Low Assurance.
c Click the country code corresponding to the foreign master list that includes
the CSCA certificate you want to add to your domestic master list.
The View Foreign Master List page appears.
On this page:
• Certificate Details displays information about the CSCA certificate.
The Assurance Level was calculated based on the results of the assurance
policy tests. The assurance level, from highest to lowest, can be one of: High
Assurance, Minor Defect, or Low Assurance.
The assurance level expiry date is calculated using the shortest expiration
date of the material used to validate the material, such as a CRL.
5 Click Export.
A File Download dialog box appears.
6 Click Save to save the master list to a file.
On this page:
• The Archived Domestic Master List Details pane displays information about
the archived domestic master list.
5 Verify that you selected the archived master list that you want to export, and
then click Export.
A File Download dialog box appears.
6 Click Export to save the archived master list to a file.
The default master list file name is <country_code>_YYMMDDhhmmssZ.der, where:
• <country_code> is the country code of your country.
To make an archived domestic master list the active domestic master list
1 Log in to MLS Administration (see “Logging in to MLS Administration” on
page 798).
2 Click Domestic Master List.
3 Click the Archived Domestic Master Lists tab.
The Archived Domestic Master Lists page appears.
4 To view a specific master list, click the country code corresponding to the foreign
master list that you want to view.
The View Foreign Master List page appears.
4 To view a specific foreign master list, click the country code corresponding to the
foreign master list that you want to view.
The View Foreign Master List page appears.
4 To view a specific master list, click the country code corresponding to the foreign
master list that you want to view.
The View Foreign Master List page appears.
4 To view a master list before exporting it, click the country code corresponding to
the foreign master list that you want to view.
5 Click Export.
6 You are prompted to save the file. Save the file to a location on your computer.
4 To view a specific master list, click the country code corresponding to the foreign
master list that you want to view.
The View Foreign Master List page appears.
4 To view a specific master list, click the country code corresponding to the foreign
master list that you want to view.
The View Foreign Master List page appears.
4 To view a specific master list before deleting it, click the country code
corresponding to the foreign master list that you want to view.
The View Foreign Master List page appears.
4 To view more detailed information about the CSCA certificate before exporting
it, click the county code of the CSCA certificate you want to export.
The View Trust Anchor page appears.
4 In the Country Code column, click the county code of the trust anchor you want
to edit.
The View Trust Anchor page appears.
4 In the Country Code column, click the county code of the trust anchor you want
to validate.
The View Trust Anchor page appears.
4 In the Country Code column, click the county code of the trust anchor you want
to delete.
5 To view more detailed information about the trust anchor before deleting it, click
the county code of the trust anchor.
The View Trust Anchor page appears.
4 The Automatic Upload Enabled setting controls whether PKD Writer will
automatically upload CSCA materials to the ICAO PKD.
Note:
Currently, PKD Writer can automatically upload only the current CSCA CRL to
the ICAO PKD from a URL.
875
Customizing the MLS Administration interface
When customizing the MLS Administration interface, you can make several changes
to reflect the corporate identity of your company. This section provides you with
details about how to apply those changes.
Note:
Any changes you make may require you to complete manual tasks when you
upgrade to the next version of Administration Services. It is recommended that
you keep track of the changes you make.
Figure 22: Custom application title and browser title for MLS Administration
commonpage.css Defines the styles for elements common to all pages in the
interface, such as the title bar.
style.css Loads all the CSS files except the help.css file.
Only someone with a good knowledge of CSS should edit the CSS files. When editing
the CSS files, take care not to make any changes that can break the MLS
Administration interface. Always back up a file before making any edits to the file.
Note:
Do not remove the en_US folder. It is the default locale.
881
Localization overview
Localization is the process of modifying or adapting a software application to fit the
requirements of a particular locale. Localization includes translating application text
to conform with a specific locale, and it might also include modifying the date, time,
and currency formats.
About locales
A locale is specific geographic, political, or cultural region. Locales are generally
specified using a language code combined with a country code.
Language codes are two-letter codes defined by ISO 639 Code for the representation
of the names of languages. By convention, language codes are shown in lower case.
Some common examples include:
• en—English
• fr—French
• ja—Japanese
• ko—Korean
• zh—simplified and traditional Chinese
Country codes are two-letter codes defined by ISO 3166 Country Codes. By
convention, country codes appear in upper case. Some common examples include:
• CA—Canada
• US—United States
• GB—United Kingdom (Great Britain)
• JP—Japan
• CN—China
Defining locales
Locales are generally specified using a combination of a language code and a country
code. The most common interpretation of this standard is the two-letter language
code followed by the two-letter country code, for example:
• fr_CA—French (Canada)
• en_US—English (United States)
• en_GB—English (United Kingdom)
• ja_JP—Japanese (Japan)
Table 43: MLS Administration files to translate for your new locale
Note:
The MLS Web Service was designed with the assumption that custom
applications are responsible for submitting the correct certificates. The MLS Web
Service assumes that all certificates being added are valid CSCA certificates. It is
critical that an administrator carefully review the list of certificates being added
by the MLS Web Service to ensure that they are the correct certificates. The
resulting master list should also be carefully reviewed before being published to
the ICAO Public Key Directory.
889
GetMlswsVersions
Description: Returns version information about the MLS Web Service.
Request: None
Response: java.lang.String Version
GetMasterList
Description: Returns the current active domestic master list (the last master list
created through either MLS Administration interface or MLS Web Service).
Request: None
Response: javax.activation.DataHandler MasterList
CreateMasterList
Description: Creates a new domestic master list containing the supplied
certificates. The MLS Web Service will take the set of certificates and create a new
master list containing these certificates. The master list is signed by the Master
List Signer profile issued by the CSCA. This master list becomes the new current
active master list.
Request: javax.activation.DataHandler[] CSCACertificates
The content of the request is the set of CSCA root certificates (domestic and
foreign) to be included in the new master list.
Response: javax.activation.DataHandler MasterList
891
892 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0
Report any errors or omissions
33
893
Installing and configuring Security Manager
Before installing Security Manager, ensure that you read all preinstallation
information described in the Security Manager 8.3 Installation Guide. Ensure that
you install and configure a supported LDAP directory and database as described in
the Security Manager 8.3 Installation Guide.
When using the countryName (c=) directory attribute to specify a two-letter country
code, the two-letter country code must be in uppercase characters to meet the ISO
3166 standard.
This section includes the following topics:
• “Installing and configuring Security Manager on Windows” on page 894
• “Installing and configuring Security Manager on Linux” on page 897
Attention:
Not all Security Manager client applications support all the algorithms that you
can select when configuring Security Manager. When configuring Security
Manager, ensure that you select algorithms supported by all the client
applications that you plan to use.
Note:
If you do not enter CVCA license information, Security Manager does not prompt
you to configure and initialize a CVCA. To configure and initialize a CVCA after
initializing Security Manager, see “Initializing a CVCA” on page 904.
Attention:
Not all Security Manager client applications support all the algorithms that you
can select when configuring Security Manager. When configuring Security
Manager, ensure that you select algorithms supported by all the client
applications that you plan to use.
Note:
If you do not enter CVCA license information, Security Manager does not prompt
you to configure and initialize a CVCA. To configure and initialize a CVCA after
initializing Security Manager, see “Initializing a CVCA” on page 904.
To initialize a CVCA
1 Log in to Security Manager Control Command Shell (see “Logging in to Security
Manager Control Command Shell” on page 1006).
2 At the prompt, enter the following command:
cvca init <country code> <mnemonic> [-taa <value>] [-keytype
<value>] [-ar F|I|FI|""] [-seqAlg A|N|CA|CN] [-lifetime
years|months|weeks|days <value>] [-warn <days>] [-softKey enabled|
disabled]
Parameters in square brackets are optional parameters. Table 44 describes the
parameters.
Parameter Description
<country code> The ISO 3166-1 ALPHA-2 country code of your country. The
country code and the mnemonic form the CVCA identity.
<mnemonic> Unique label for the CVCA. The label must be between one and nine
ISO 8859-1 Latin-1 characters. The country code and the mnemonic
form the CVCA identity.
-taa <value> Specifies the terminal authentication algorithm. The algorithm must
be one of:
• RSA-SHA1 • ECDSA-SHA1
• RSA-SHA256 • ECDSA-SHA224
• RSAPSS-SHA1 • ECDSA-SHA256
• RSAPSS-SHA256
Parameter Description
-keytype <value> Specifies the key type (RSA or EC), and the key size (RSA) or domain
parameters (EC). The key type must be one of:
• RSA-1024 • EC-ansix9p160k1
• RSA-1280 • EC-ansix9p160r1
• RSA-1536 • EC-ansix9p160r2
• RSA-2048 • EC-ansix9p192r1
• RSA-3072 • EC-ansix9p192k1
• RSA-4096 • EC-ansix9p224r1
• EC-brainpoolP160r1 • EC-ansix9p224k1
• EC-brainpoolP160t1 • EC-ansix9p256r1
• EC-brainpoolP192r1 • EC-ansix9p256k1
• EC-brainpoolP192t1
• EC-brainpoolP224r1
• EC-brainpoolP224t1
• EC-brainpoolP256r1
• EC-brainpoolP256t1
Parameter Description
-lifetime years | months Specifies the lifetime of the CVCA certificate in years, months,
| weeks | days <value> weeks, or days. Must be between one day and 25 years. If you do
not specify a lifetime, the default is three years.
-warn <days> Specifies the number of days before the certificate expires when
Security Manager starts warning you of the impending expiry. A
value of 0 suppresses the warnings. If you do not specify a the
warning threshold, it defaults to 100 days.
-softKey enabled | Controls whether software is permitted as a storage location for the
disabled CVCA keys. If enabled, you can store the CVCA keys in software. If
disabled, you can only store the CVCA keys on a hardware device.
If you do not specify a value, you can store the CVCA keys in
software.
907
Deployment overview
Deploying Administration Services for a CVCA includes the following steps. Each step
is described in further detail in this chapter.
1 Review list of supported operating systems, Web servers, and Web browsers.
See the Entrust Authority Administration Services Release Notes. The most
recent Release Notes are posted on Entrust Datacard TrustedCare.
2 (Optional.) Install and configure a supported Web server (see “Installing and
configuring the Web server (optional)” on page 910).
CVCA Administration consist of application server components and optional
Web server components. The Web server components allow you to configure a
front-end Web server so requests go through a Web server instead of directly to
the application server.
3 Synchronize the application server and Security Manager Certification Authority
time setting (see “Synchronizing Administration Services and Security Manager
time settings” on page 913).
4 Create Entrust profiles for Administration Services:
• “Creating CVCA Administration Server credentials” on page 914
• “Creating CVCA Administration XAP credentials” on page 918
• “Creating SPOC Domestic Web Service credentials” on page 921
5 Check the settings in the entrust.ini file (see “Checking the entrust.ini file” on
page 924).
6 Install CVCA Administration (see “Installing CVCA Administration” on
page 926).
7 If you configured the CVCA Administration to use a front-end Web server, you
must complete the front-end configuration:
• “Completing the Microsoft IIS front-end configuration for CVCA
Administration” on page 957
• “Completing the Apache HTTP Server front-end configuration for CVCA
Administration” on page 964
8 Create or modify a user policy for CVCA administrators (see “Creating or
modifying a user policy for CVCA administrators” on page 974).
The client policy (user policy) assigned to the roles used by CVCA administrators
must allow external authentication and optionally PKCS #12 export.
9 Create new roles for CVCA administrators (see “Creating roles for CVCA
administrators” on page 977).
The operations that administrators can perform in CVCA Administration depends
on the administrator’s role. You can use existing pre-defined roles, or create new
roles for your CVCA administrators.
Note:
Web Server SSL certificates must be issued by a Certification Authority.
Self-signed certificates are not supported.
You need a Web server certificate to enable SSL on your Web server. You can use the
following Entrust products to obtain Web server certificates:
• To generate large numbers of licensed Web server certificates, use Entrust
Authority Enrollment Server for Web.
Note:
You need to create a CVCA Administration Server profile only if you will not use
a front-end Web server with CVCA Administration. The Administration Services
installer will not prompt you for a CVCA Administration Server profile if you
configure the application server components for a front-end Web server.
To create a user entry for the CVCA Administration Server profile using
Security Manager Administration
1 Log in to Security Manager Administration for the CVCA.
2 Select User > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
To create a user entry for the CVCA Administration XAP profile using Security
Manager Administration
1 Log in to Security Manager Administration for the CVCA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.
c In the Add to drop-down list, select the searchbase where you want to add
the user entry (for example, select CA Domain Searchbase to add the user
entry to the default searchbase).
To create a user entry for the SPOC Domestic Web Service profile using
Security Manager Administration
1 Log in to Security Manager Administration for the CVCA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.
This page lists all configured services (if any). Click Next to add a new service.
a In the Host Name field, enter the fully qualified host name of your Web site.
For example, webserver.example.com.
b In the Port Number field, enter the SSL port number of your Web site (by
default 443).
c Click Next.
a In the Enter the SSL/TLS port number for the CVCA Administration Service
field, enter the SSL port number for the CVCA Administration instance (by
default 14443).
b Click Next.
If you chose to configure the Web server front-end, proceed to Step 15 on
page 937.
a In the text field, enter the full path and file name of the entrust.ini file
from the Entrust CA that issued the CVCA Administration Server profile, or
click Choose to locate the file.
b Click Next.
a In the Enter the location of the CVCA Administration Profile field, click
Choose to locate and select the CVCA Administration Server profile (EPF
file).
b In the Enter the Password to login to your CVCA Administration Profile
field, enter the password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the CVCA Administration Server profile.
b In the Enter the Password to login to your CVCA Administration Profile
field, enter the password for the profile.
c Click Next.
a In the Enter the Managed CA name field, enter a unique name for the CVCA.
Note:
The name is a friendly name to identify the CVCA, not the CVCA identity.
The name must be at least four characters long, and must contain only
letters, numbers, underscores, spaces, and hyphens. At least four characters
must be a combination of uppercase letters, lowercase letters, and numbers.
b Administration Services requires connection information to the CVCA and its
LDAP directory. The installer can take the information from the CVCA’s
entrust.ini file or you can provide the information manually.
– To use the information from the CVCA’s entrust.ini file, select Use
information from entrust.ini, and then enter the full path and file name of
the entrust.ini file into the Enter the location of the entrust.ini field or
click Choose to locate the file.
a In the Enter Manager Host Name field, enter the fully qualified domain name
of the server hosting the CVCA. For example, domain.example.com.
b In the Enter PKI Port Number field, enter the CMP port of the CVCA,
typically 829.
c In the Enter XAP Port Number field, enter the XAP port of the CVCA,
typically 443 or 1443.
d In the Enter LDAP Host Name field, enter the fully qualified domain name of
the CVCA’s LDAP directory. For example, ldap.example.com.
e In the Enter LDAP Port number field, enter the LDAP port of the directory
(typically 389).
f Click Next.
a In the Enter the location of the XAP Profile field, enter the full path and file
name of the CVCA Administration XAP profile issued by the CVCA, or click
Choose to select the file
b In the Enter the Password to login to your XAP Profile field, enter the
password for the CVCA Administration XAP profile.
c Click Next.
a To use the service you just installed, you must restart the Administration
Services application server.
– To start the service automatically after exiting the installer, select Start the
service automatically. By default, this option is already selected.
– To not start the service after exiting the installer, deselect Start the service
automatically. You must manually restart Administration Services to use the
new service.
b Click Next.
You can find the URLs to all installed services in the <AS-install>/services.txt
file.
This page lists all configured services (if any). Click Next to add a new service.
a Select the Web server that you will use for Administration Services.
b Click Next.
a In the Web Server’s Fully Qualified Host Name or IP Address field, enter the
fully qualified host name or IPv4 address of your Web site. For example,
webserver.example.com.
b In the Web Server’s SSL Port field, enter the SSL port number of your Web
site (by default 443).
c Click Next.
a Enter the path to the folder that contains the Web server’s configuration file
(httpd.conf file) or click Choose to select the folder that contains the file.
b Click Next to continue.
a In the text field, enter the fully qualified host name or IPv4 address of the
server hosting the application server components. For example,
appserver.example.com.
b Click Next.
a In the Enter the SSL/TLS port number for the CVCA Administration Service
field, enter the SSL port number for CVCA Administration (by default
14443).
b Click Next.
To assign SSL certificates to the CVCA Administration Web site on Microsoft IIS
1 Log in to the server hosting Microsoft IIS.
2 Open Internet Information Services (IIS) Manager by selecting Start, then click
the down arrow to access Apps, then click Internet Information Services (IIS)
Manager.
11 Click Finish.
Note:
If the file referenced by SSLCertificateChainFile or SSLCACertificateFile
contains too many certificates, Apache HTTP Server may fail to load all the
certificates. If the Web server fails to load all the certificates, it may be unable to
successfully maintain a session with the Web browser. To work around this issue,
you can use the SSLCACertificatePath setting instead of the
SSLCertificateChainFile or SSLCACertificateFile settings. For information
about using the SSLCACertificatePath setting, see the Apache HTTP Server
documentation.
• The SSLCertificateFile setting must specify the path and file name of a
PEM-encoded SSL server certificate. The path can be a path relative to the
Apache HTTP Server installation directory. For example:
SSLCertificateFile conf/ssl/server.crt
• The SSLCertificateKeyFile setting must specify the path and file name of
a private key file. The path can be a path relative to the Apache HTTP Server
installation directory. For example:
SSLCertificateKeyFile conf/ssl/server.key
Note:
If the file referenced by SSLCACertificateFile contains too many certificates,
Apache HTTP Server may fail to load all the certificates. If the Web server fails to
load all the certificates, it may be unable to successfully maintain a session with
the Web browser. To work around this issue, you can use the
SSLCACertificatePath setting instead of the SSLCACertificateFile setting.
For information about using the SSLCACertificatePath setting, see the Apache
HTTP Server documentation.
Setting Description
managedca.entrust.0. This setting specifies the unique ID for the CVCA. The value must be
uniqueid 0.
managedca.entrust.0. This setting specifies the IPv4 address or fully qualified domain name
host of the server hosting the CVCA.
managedca.entrust.0. This setting specifies the XAP port of the CVCA (typically 443 or
xapport 1443).
managedca.entrust.0. This setting specifies the PKIX-CMP port of the CVCA (typically 829).
pkixport
managedca.entrust.0. This setting specifies the IPv4 address or fully qualified domain name
ldap.host of the server hosting the CVCA’s LDAP directory.
Setting Description
managedca.entrust.0. This setting specifies the LDAP port of the directory (typically 389).
ldap.port
managedca.entrust.0. This setting specifies the full path and file name of the CVCA
xapexternalauthepf Administration XAP profile issued by the CVCA.
For information about creating CVCA Administration XAP profiles for
the CVCA, see “Creating CVCA Administration XAP credentials” on
page 918.
managedca.entrust.0. This setting specifies the digest algorithm used to sign XAP messages.
digest.algorithm
Permitted values:
• sha1 for SHA-1.
• sha256 for SHA-256.
CVCA Administration signs the XAP message using the CVCA
administrator’s profile. If the profile has a DSA or ECDSA key pair, set
the XAP message signing algorithm to SHA-1.
If not specified, the default is SHA1.
managedca.entrust.0. Java Naming and Directory Interface (JNDI) credentials are required to
ldap.principal access the CVCA's LDAP directory when anonymous bind is not
available.
Setting Description
managedca.entrust.0. Java Naming and Directory Interface (JNDI) credentials are required to
ldap.credential access the CVCA's LDAP directory when anonymous bind is not
available.
This setting specifies the password for the JNDI Principal used to
connect to the directory. Administration Services will store the
password as an encrypted value.
If this setting is absent or has no value, then an anonymous bind is
used to connect to the directory.
managedca.entrust.0. This setting specifies the initial number of XAP connections that CVCA
xap.connections.initia Administration opens with the CVCA when Administration Services
l starts.
The number of XAP connections to the CVCA increases automatically
up to the maximum when the number of administrators concurrently
using Administration Services increases.
If not specified, the default is 4.
managedca.entrust.0. This setting specifies the maximum number of XAP connections that
xap.connections.max CVCA Administration opens with the CVCA.
After reaching the maximum, connections are automatically closed
after use. Since new XAP messages cannot be sent to the CVCA until
a connection is available, repeatedly reaching this maximum may slow
system performance.
If not specified, the default is 20.
managedca.entrust.0. This setting specifies the length of time (in minutes) that CVCA
xap.connections.idle.t Administration allows a XAP connection with the CVCA to remain idle
imeout before closing it and creating a new connection.
If not specified, the default is 30 minutes.
managedca.entrust.0. This setting specifies the maximum length of time (in seconds) that
xap.connections.sock CVCA Administration waits for a CVCA to accept a XAP connection
et.timeout before returning an error.
This setting prevents CVCA Administration from hanging indefinitely
if the CVCA does not accept the connection; for example, if the CVCA
server is too busy to accept the connection.
If not specified, the default is 60 seconds.
Setting Description
To modify an existing user policy to allow PKCS #12 export and XAP external
authentication
1 Log in to Security Manager Administration for the CVCA.
2 In the tree view, expand Security Policy > User Policies.
3 Select the user policy to modify. For example, select Administrator Policy to
modify the user policy assigned to the predefined EAC Administrator and EAC
Auditor roles.
4 Under Policy Attributes:
a Select Allow PKCS#12 Export.
This setting allows users to export their digital ID to a PKCS #12 file.
b Select All Exportable.
This setting allows all private keys to be exported.
c (Optional.) Change the value of Minimum PKCS#12 Hash Count.
This setting specifies the minimum number of times that the user-supplied
password for the PKCS #12 file is hashed during export. You can enter a
To create a new user policy to allow PKCS #12 export and XAP external
authentication by copying the Administrator Policy user policy
1 Log in to Security Manager Administration for the Entrust Managed CA.
2 In the tree view, expand Security Policy > User Policies.
3 Select Administrator Policy
4 Select Policies > User Policies > Selected User Policy > Copy.
The Copy User Policy dialog box appears.
5 In the Label field, enter CVCA Administrator Policy.
6 In the Common name field, enter CVCA Administrator Policy.
7 In the Add to drop-down list, select the searchbase where you want to store the
user policy.
8 Under Policy Attributes:
a Select Allow PKCS#12 Export.
This setting allows users to export their digital ID to a PKCS #12 file.
b Select All Exportable.
This setting allows all private keys to be exported.
c (Optional.) Change the value of Minimum PKCS#12 Hash Count.
This setting specifies the minimum number of times that the user-supplied
password for the PKCS #12 file is hashed during export. You can enter a
value between 1 (very weak) to 10000 (very secure). The default value of
2000 is sufficient for most deployments.
d Select Allow use with external authentication.
Note:
The security dialog box may appear behind the browser window. Click the dialog
box’s window icon in the taskbar to bring the dialog box to the front.
985
Configuring CVCA Administration logs
Administration Services allows you to customize the log file settings for CVCA
Administration. You can configure the following log settings:
• the log file name and location
• the level of messages recorded in the file
• the maximum size the log file can reach before a new log file is created
• the number of old log files to retain
Setting Description
<Level> This setting controls the level of detail for the CVCA Administration logs.
The logging level can be one of (in increasing severity):
• TRACE
• DEBUG
• INFO
• WARNING
• ERROR
• ALERT
• FATAL
This sets the lowest level of message to show. For example, ERROR provides
messages of ERROR, ALERT and FATAL status.
Default: INFO
<Filename> This setting specifies the name (including path) of the log file.
Default:
<AS-install>\cvcaadmin\<instance>\logs\cvca_<instance>.log
Setting Description
<Filesize> This setting controls the maximum size of a log file, in bytes.
Default: 1000000
Do not set the value to 0, or Apache Tomcat will fail to start.
<Backups> This setting controls the maximum number of log files to keep. After the last log
file reaches the maximum size, the first log file is overwritten.
Default: 10
Note:
You can set a maximum return limit for XAP searches in Security Manager. If a
maximum return limit is configured in Security Manager, the maximum return
limit at Security Manager takes precedence.
Setting Description
<DvCertificate> These settings control the search operations for DV certificates.
<MaxReturn> This setting specifies the maximum number of certificates to return
in a DV certificate list operation. If 0, CVCA Administration uses
the Security Manager default XAP return limit (default is 100).
Default: 1000
Setting Description
<IncludeExpired> This setting controls whether to include expired certificates in the
results.
Default: true
<CvcaCertificate> These settings control the search operations for domestic CVCA
certificates.
<MaxReturn> This setting specifies the maximum number of certificates to return
in a domestic CVCA certificate list operation. If 0, CVCA
Administration uses the Security Manager default XAP return limit
(default is 100).
Default: 1000
<IncludeExpired> This setting controls whether to include expired certificates in the
results.
Default: true
<FCvcaEntity> These settings control the search operations for foreign CVCAs.
<MaxReturn> This setting specifies the maximum number of foreign CVCAs to
return in a foreign CVCA list operation. If 0, CVCA Administration
uses the Security Manager default XAP return limit (default is
100).
Default: 1000
<FCvcaCertificate> These settings control the search operations for foreign CVCA
certificates.
<MaxReturn> This setting specifies the maximum number of certificates to return
in a foreign CVCA certificate list operation. If 0, CVCA
Administration uses the Security Manager default XAP return limit
(default is 100).
Default: 1000
<IncludeExpired> This setting controls whether to include expired certificates in the
results.
Default: true
Table 48: CVCA Administration account tasks, event IDs, and email message files
Note:
You cannot configure email notification to notify DV administrators that a CVCA
key update occurred. After CVCA keys are updated, CVCA administrators must
inform DV administrators that the CVCA keys updated and send the latest CVCA
certificate.
Setting Description
<ContentTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the message. See
“Modifying email notification subject and message text for CVCA
Administration” on page 1001 for details about editing this file.
Note: This is a system setting and should not be modified.
<FromTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses for
the RFC 822 From: and Reply-To: headers.
Note: This is a system setting and should not be modified.
<Id> Used to declare a unique identifier. This value must match an
identifier of a notification event that is sent by the
XAPNotificationHandler. It is the identifier that is used to
determine which email notification event should handle the
notification event.
Note: This is a system setting and should not be modified.
<RecipientTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses of
the recipients. The results of the transformation are a
<Recipients> element.
<SubjectTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the RFC 822 Subject:
header. The result of the transformation is a <Subject> element.
See “Modifying email notification subject and message text for
CVCA Administration” on page 1001 for details about editing this
file.
Setting Description
<AttachmentsTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the files sent in the email messages
as attachments. The results of the transformation are an
<Attachments> element.
Attention:
Only personnel with knowledge of XSLT should attempt to modify email
notification text. To compare your changes with the default versions of the XSL
files, see the <AS-install>\templates folder for the default files. Do not modify
any of the files in the templates folder.
Administration Services allows you to modify both the email subject and message text
for each email notification event.
Begin using your digital ID again at any time. If have lost your
digital ID or forgotten your password, please contact your LRA.
<xsl:call-template name="signature"/>
</xsl:template>
5 Save and close the file.
1005
Getting started in Security Manager Control
Command Shell
Master Users are highly trusted people responsible for installing and configuring
Security Manager, and for managing various aspects of Security Manager, such as
certificates, the database, and the directory.
Security Manager Control Command Shell is a command line utility for Master Users
to manage Security Manager. In Security Manager Control Command Shell, a Master
User can do everything from logging in to setting encryption algorithms.
Note:
This section only provides information about starting and stopping, logging in,
and logging out of Security Manager Control Command Shell. For more
information about getting started in Security Manager Control Command Shell,
including important information about character encoding and using special
characters, see the Security Manager Operations Guide.
Note:
If you log in to Windows as a different Windows user, you cannot log in to
Security Manager Control Command Shell or run any commands.
2 Open the Security Manager Control Command Shell using one of the following
methods:
• Double-click the shortcut icon on the desktop.
• From the Start menu by clicking Start, then click the down arrow to access
Apps, then click Security Manager Control Command Shell.
When listed by name or category, Security Manager Control Command Shell
is listed under Entrust.
The Security Manager Control Command Shell window appears. The window
presents copyright information about Security Manager, information about
getting help in Security Manager Control Command Shell, and the default
Security Manager Control Command Shell prompt (entsh$).
3 At the prompt, enter:
login
4 If you are using hardware-based database protection (see the Security Manager
Operations Guide), Security Manager Control Command Shell prompts you for
the password of the hardware device:
A password is required to log into 'CAHdwareVendor01 SN :
99ERT-A7-00-1'.
Password:
Enter the password of the hardware device.
5 Security Manager Control Command Shell prompts you for your Master User
user name:
Master User Name:
Enter your Master User user name.
The predefined Master User names (Master1, Master2, and Master3) are
case-sensitive. Names of custom Master Users (see the Security Manager
Operations Guide) are not case-sensitive.
6 Security Manager Control Command Shell prompts you for your Master User
password:
Password:
Note:
If you include these commands in your startup script, you do not need to enter
them each time you log in to your server to run Security Manager Control
Command Shell.
Note:
You can customize the CVCA Administration interface to reflect the corporate
identity of your company. For details, see “Customizing CVCA Administration”
on page 1109.
Note:
The security dialog box may appear behind the browser window. Click the dialog
box’s window icon in the taskbar to bring the dialog box to the front.
Information bar
The information bar in the CVCA Administration interface displays the distinguished
name (DN) of the currently logged in administrator on the left. On the right, the
following links are available:
• About
Click About to view the version and legal information for the Entrust
Authority EAC systems.
• Help
Click Help on any page to view the Help documentation for that page. A link
to the help index is available on each Help page. A link to browser
requirements is available in the help index.
• locales (main page only)
Click a locale link to change the language used in the interface. By default,
CVCA Administration provides English and French locales.
Taskbar
The taskbar has links to the main task areas available to the currently logged-in
administrator. For example, if you are logged in as EAC Administrator, the Country
Verifying CAs, Document Verifiers, Certificate Request, Queued Operations, and
My Account tasks appear. The current task is emphasized by a white background.
Action bar
The action bar has tabs that indicate subtasks or actions available for the particular
task. The current tab is emphasized in darker blue. The action bar displays the current
action within the task.
The bread crumb trail allows administrators to easily see where they are within a task
and navigate back to previous steps.
Tables
When administrators retrieve results, the results are displayed in a table.
Administrators can sort the results in the table:
• Click the column header link in a results table to sort the table by that
column.
To view the CVCA holder identity using Security Manager Control Command
Shell
1 Log in to Security Manager Control Command Shell (see “Logging in to Security
Manager Control Command Shell” on page 1006).
2 At the prompt, enter
cvca identity
Security Manager displays the holder identity of the CVCA.
To view the CVCA holder identity using the CVCA Administration Interface
1 Log in to the CVCA Administration interface (see “Logging in to CVCA
Administration” on page 1011).
2 Click Country Verifying CAs.
3 Click the Country Verifying CA tab.
The CVCA holder identity is listed on the View Details page.
Note:
A warning message appears on the View Details page if a CVCA certificate is set
to expire within the expiry warning threshold. An error message appears if the
CVCA certificate has expired.
4 To view a specific CVCA certificate, click the holder reference of the CVCA
certificate that you want to view.
The View Certificate pane displays the certificate details.
Parameter Description
-root | -link Specifies whether the certificate is a root certificate (-root) or a link
certificate (-link).
A CVCA certificate is a root certificate if its holder reference and
authority reference are the same. Otherwise, it is a link certificate.
Parameter Description
-root | -link Specifies whether the first certificate in the certificate chain is a root
certificate (-root) or a link certificate (-link). If not specified, -root
is assumed.
A CVCA certificate is a root certificate if its holder reference and
authority reference are the same. Otherwise, it is a link certificate.
Use the <trust point holder reference> parameter to identify
the CVCA certificate that starts the certificate chain. If you do not
specify the <trust point holder reference> parameter, this
option is ignored and the certificate chain starts with the initial root
CVCA certificate.
<leaf holder reference> Specifies the holder reference of the CVCA certificate that ends the
CVCA certificate chain.
If not specified, the most recent CVCA link certificate ends the
certificate chain.
Parameter Description
<trust point holder Specifies the holder reference of the CVCA certificate that starts the
reference> CVCA certificate chain.
If not specified, the [-root|-link] option is ignored and the initial
root CVCA certificate starts the certificate chain.
You have now exported the CVCA certificate chain. If you included a root CVCA
certificate in the chain, Security Manager displays validation strings.
For the validation strings, the "SHA1:" and "SHA256:" portions are not part of
the actual validation strings. The "SHA1:" and "SHA256:" portions only indicate
which validation string is the SHA1 string and which validation string is the
SHA256 string.
Send the CVCA certificates to the Document Verifier administrator using a secure
method, such as secure email or diplomatic courier. If you include a root CVCA
certificate, it is strongly recommended that you send the validation string separately
to protect against tampering.
Parameter Description
• RSA-SHA1 • ECDSA-SHA1
• RSA-SHA256 • ECDSA-SHA224
• RSAPSS-SHA1 • ECDSA-SHA256
• RSAPSS-SHA256
Parameter Description
-keytype <value> Specifies the key type (RSA or EC), and the key size (RSA) or domain
parameters (EC). The key type must be one of:
• RSA-1024 • EC-ansix9p160k1
• RSA-1280 • EC-ansix9p160r1
• RSA-1536 • EC-ansix9p160r2
• RSA-2048 • EC-ansix9p192r1
• RSA-3072 • EC-ansix9p192k1
• RSA-4096 • EC-ansix9p224r1
• EC-brainpoolP160r1 • EC-ansix9p224k1
• EC-brainpoolP160t1 • EC-ansix9p256r1
• EC-brainpoolP192r1 • EC-ansix9p256k1
• EC-brainpoolP192t1
• EC-brainpoolP224r1
• EC-brainpoolP224t1
• EC-brainpoolP256r1
• EC-brainpoolP256t1
Parameter Description
-lifetime years | months Specifies the lifetime of the CVCA certificate in years, months,
| weeks | days <value> weeks, or days. Must be between one day and 25 years. If you do
not specify a lifetime, the default is three years.
-warn <days> Specifies the number of days before the certificate expires when
Security Manager starts warning you of the impending expiry. A
value of 0 suppresses the warnings. If you do not specify the warning
threshold, it defaults to 100 days.
To change the frequency at which the messages are logged, edit the
EntCvcaCertExpiryCheckNotBefore,
EntCvcaCertExpiryCheckNotAfter and
EntCvcaCertExpiryCheckPeriod settings in the entmgr.ini file. By
default, warning messages are logged daily. For more information
about these settings, see the Security Manager Operations Guide.
-softKey enabled | Controls whether software is permitted as a storage location for the
disabled CVCA keys. If enabled, you can store the CVCA keys in software. If
disabled, you can only store the CVCA keys on a hardware device.
If you do not specify a value, you can store the CVCA keys in
software.
4 Enter the information indicated in the fields on the page. An asterisk is used to
indicate mandatory fields (in this case, the Holder Identity of the foreign CVCA).
The holder identity must start with the ISO 3166-1 ALPHA-2 country code,
followed by a one to nine ISO 8859-1 Latin-1 character label. For example,
GBcvca.
In the URL field, enter the URL of the CVCA’s Web Service if you are configuring
the automatic key and certificate update feature.
5 Click Submit.
4 From the list, click the Holder Identity of the foreign CVCA you want to view.
The View Details page opens, revealing information about the foreign CVCA.
4 Click the holder identity of the foreign CVCA you want to suspend.
To enable a foreign CVCA from the Security Manager Control Command Shell
1 Log in to Security Manager Control Command Shell (see “Logging in to Security
Manager Control Command Shell” on page 1006).
2 If required, find the foreign CVCA that you want to enable (see “Viewing foreign
Country Verifying Certification Authorities” on page 1033).
3 At the prompt, enter:
cvca fcvca enable <fcvca identity>
4 Click the holder identity of the foreign CVCA you want to activate.
4 Click the holder identity of the foreign CVCA you want to delete.
6 Click Delete.
You are prompted to confirm the operation.
7 Click OK to remove the foreign CVCA and all associated root and link certificates
for that foreign CVCA.
Note:
Administration Services cannot import files with file names longer than 3000
characters.
5 Click Import.
5 In the Certificates list, click the Holder of the certificate you want to view.
Parameter Description
-root | -link Specifies whether the certificate is a root certificate (-root) or a link
certificate (-link).
A foreign CVCA certificate is a root certificate if its holder reference
and authority reference are the same. Otherwise it is a link
certificate.
<holder reference> Specifies the holder reference of the foreign CVCA certificate.
Security Manager displays validation strings when exporting a foreign CVCA root
certificate.
For the validation strings, the "SHA1:" and "SHA256:" portions are not part of
the actual validation strings. The "SHA1:" and "SHA256:" portions only indicate
which validation string is the SHA1 string and which validation string is the
SHA256 string.
You have now exported the foreign CVCA certificate. For the the inital foreign CVCA
root certificate, send the certificate and the validation strings to the Document
Verifier administrator using a secure method, such as secure email or diplomatic
courier. It is strongly recommended that you send the certificate and validation strings
separately to avoid undetectable tampering.
You do not need validation strings for link CVCA certificates, since Document
Verifiers can cryptographically verify link CVCA certificates.
Parameter Description
-root | -link Specifies whether the first certificate in the certificate chain is a root
certificate (-root) or a link certificate (-link). If not specified, -root
is assumed.
A foreign CVCA certificate is a root certificate if its holder reference
and authority reference are the same. Otherwise it is a link
certificate.
Use the <trust point holder reference> parameter to identify
the foreign CVCA certificate that starts the certificate chain.
<leaf holder reference> Specifies the holder reference of the foreign CVCA certificate that
ends the CVCA certificate chain.
Parameter Description
<trust point holder Specifies the holder reference of the foreign CVCA certificate that
reference> starts the CVCA certificate chain.
If not specified, the initial foreign CVCA root certificate starts the
certificate chain.
You have now exported the foreign CVCA certificate chain. If you included a root
CVCA certificate in the chain, Security Manager displays validation strings.
For the validation strings, the "SHA1:" and "SHA256:" portions are not part of
the actual validation strings. The "SHA1:" and "SHA256:" portions only indicate
which validation string is the SHA1 string and which validation string is the
SHA256 string.
Send the foreign CVCA certificates to the Document Verifier administrator using a
secure method, such as secure email or diplomatic courier. If you include the initial
foreign CVCA root certificate, it is strongly recommended that you send the
validation string separately to protect against tampering.
5 In the Certificates list, click the Holder of the certificate you want to export.
A Certificate Details page appears.
Parameter Description
-ar F | I | FI | "" Specifies the holder access rights (the biometric information
Document Verifiers can access):
• F (fingerprint only)
• I (iris only)
• FI (fingerprint and iris)
• "" (none)
If you do not specify the holder access rights, it defaults to
fingerprint.
Note: The access rights for a Document Verifier cannot exceed the
access rights held by the CVCA. If you specify access rights for a
Document Verifier that the CVCA does not hold, the CVCA will not
add those access rights when issuing a certificate to the Document
Verifier.
-selfSvc yes | no Specifies whether the Document Verifier can use the SPOC Domestic
Web Service to request certificates from the CVCA.
If not specified, Document Verifiers can use the SPOC Domestic
Web Service.
-queueSelfSvc yes | no Specifies whether the Document Verifier can queue operations
performed over the SPOC Domestic Web Service. Queuing
operations performed over the SPOC Domestic Web Service allows
Document Verifier administrators to authorize the operations.
If not specified, Document Verifiers do not queue operations
performed over the SPOC Domestic Web Service.
Parameter Description
-lifetime years | months Specifies the lifetime of the Document Verifier certificate in years,
| weeks | days <value> months, weeks, or days.
Enter a lifetime between one day and 25 years.
If you do not specify a lifetime, it defaults to three months.
Note: Document Verifier certificates cannot exceed the lifetime of
the issuing CVCA certificate. When issuing a Document Verifier
certificate, the CVCA will truncate the lifetime of the Document
Verifier certificate if it is set to exceed the lifetime of the CVCA
certificate.
4 To change the read access rights (the biometric information Document Verifiers
can access), click one of the following options:
• Allow Fingerprint
• Allow Iris
• Allow Fingerprint and Iris
• No Access Rights
Parameter Description
<dv identity> The holder identity of the Document Verifier. The holder identity
must start with the ISO 3166-1 ALPHA-2 country code, followed by
a one to nine ISO 8859-1 Latin-1 character label. For example,
GBcvca.
-ar F | I | FI | "" Specifies custom holder access rights for the Document Verifier:
• F (fingerprint only)
• I (iris only)
• FI (fingerprint and iris)
• "" (none)
If you do not specify custom holder access rights, it defaults to the
setting in the Document Verifier policy. See “Configuring the
Document Verifier policy” on page 1056 for information about
viewing and changing the Document Verifier policy.
Note: The access rights for a Document Verifier cannot exceed the
access rights held by the CVCA. If you specify access rights for a
Document Verifier that the CVCA does not hold, the CVCA will not
add those access rights when issuing a certificate to the Document
Verifier.
-selfSvc yes | no Specifies whether the Document Verifier can use the SPOC Domestic
Web Service to request certificates from the CVCA.
If not specified, it defaults to the setting in the Document Verifier
policy. See “Configuring the Document Verifier policy” on
page 1056 for information about viewing and changing the
Document Verifier policy.
-queueSelfSvc yes | no Specifies whether the Document Verifier can queue operations
performed over the SPOC Domestic Web Service. Queuing
operations performed over the SPOC Domestic Web Service allows
Document Verifier administrators to authorize the operations.
If not specified, it defaults to the setting in the Document Verifier
policy. See “Configuring the Document Verifier policy” on
page 1056 for information about viewing and changing the
Document Verifier policy.
Parameter Description
-lifetime years | months Specifies a custom certificate lifetime for the Document Verifier
| weeks | days <value> certificates in years, months, weeks, or days. Must be between one
day and 25 years.
If you do not specify a custom certificate lifetime, it defaults to the
setting in the Document Verifer policy. See “Configuring the
Document Verifier policy” on page 1056 for information about
viewing and changing the Document Verifier policy.
Note: Document Verifier certificates cannot exceed the lifetime of
the issuing CVCA certificate. When issuing a Document Verifier
certificate, the CVCA will truncate the lifetime of the Document
Verifier certificate if it is set to exceed the lifetime of the CVCA
certificate.
-super <value> Specifies the holder identity of the Document Verifier’s domestic
CVCA. Specify a domestic CVCA if more than one CVCA uses the
same country code, or if the domestic CVCA uses a different country
code.
If the CVCA holder identity does not exist, an error occurs and the
operation fails.
If you do not specify a domestic CVCA, Security Manager
determines if the Document Verifier is a domestic or foreign
Document Verifier based on the country code in the holder identity:
• If the country code matches your CVCA’s country code, it is a
domestic Document Verifier, regardless of whether other CVCAs
exist with the same country code.
• If the country code is different than your CVCA’s country code, it
is a foreign Document Verifier.
Note: If the country code of the Document Verifier matches your
CVCA’s country code, the Document Verifier uses a Domestic DV
license. If the country code is different than your CVCA’s country
code, the Document Verifier uses a Foreign DV license. Specifying a
domestic CVCA does not determine which license to use.
4 In the Holder Identity field, enter the holder identity of the Document Verifier.
The identity must begin with an ISO 3166-1 ALPHA-2 country code consisting
of two uppercase alphabetic characters, followed by a maximum of nine Latin-1
characters.
5 (Optional.) In the Supervising CVCA Identity field, enter the holder identity of
the Document Verifier’s domestic CVCA. Specify a domestic CVCA if more than
one CVCA uses the same country code, or if the domestic CVCA uses a different
country code.
If the CVCA holder identity does not exist, an error occurs and the operation fails.
If you do not specify a domestic CVCA, Security Manager determines if the
Document Verifier is a domestic or foreign Document Verifier based on the
country code in the holder identity:
• If the country code matches your CVCA’s country code, it is a domestic
Document Verifier, regardless of whether other CVCAs exist with the same
country code.
• If the country code is different than your CVCA’s country code, it is a foreign
Document Verifier.
6 (Optional.) In the Friendly Name field, enter a descriptive string to identify the
Document Verifier.
7 (Optional.) In the E-mail address field, enter an email address associated with the
contact person for the Document Verifier.
8 For Read Access Rights, specify the read access rights (the biometric information
Document Verifiers can access) as follows:
• To use the default read access rights, click Use Global Default Value.
The default read access rights are configured in the Document Verifier policy.
See “Configuring the Document Verifier policy” on page 1056 for details.
• To specify custom read access rights, click Custom Settings and then click
one of the following:
– Allow Fingerprint
– Allow Iris
– Allow Fingerprint and Iris
– No Access Rights
The access rights for a Document Verifier cannot exceed the access rights held by
the CVCA. CVCA Administration will display only the access rights that you can
set for the Document Verifier that will not exceed the access rights held by the
CVCA.
9 For Certificate Lifetime, specify the certificate lifetime of the Document Verifier
certificates as follows:
• To use the default certificate lifetime, click Use Global Default Value.
The default certificate lifetime is configured in the Document Verifier policy.
See “Configuring the Document Verifier policy” on page 1056 for details.
• To specify a custom certificate lifetime, click Custom Settings and then enter
a lifetime (in years, months, weeks, or days), in the Certificate Lifetime
Frequency text field and drop-down list.
Enter a lifetime between one day and 25 years.
Document Verifier certificates cannot exceed the lifetime of the issuing CVCA
certificate. When issuing a Document Verifier certificate, the CVCA will truncate
7 Click Submit to find all Document Verifiers that meet your search criteria.
The results are returned in a table on the Search Results pane.
8 Click the column header link in a results table to sort the table by that parameter.
9 To view a specific Document Verifier, click the holder identity of the Document
Verifier.
Parameter Description
-state enabled Finds Document Verifiers in the enabled state (-state enabled) or
Document Verifiers in the disabled state (-state disabled).
-state disabled
-ar <value> Finds Document Verifiers with specific holder access rights, where
<value> is one of:
• F (fingerprint only)
• I (iris only)
• FI (fingerprint and iris)
• "" (none)
-selfSvc yes Finds Document Verifiers that can use the SPOC Domestic Web
Service to request certificates from the CVCA (-selfSvc yes) or
-selfSvc no
Document Verifiers that require administrators to request certificates
from the CVCA (-selfSvc no).
-queueSelfSvc yes Finds Document Verifiers that can queue operations performed over
the SPOC Domestic Web Service (-queueSelfSvc yes) or
-queueSelfSvc no
Document Verifiers that cannot queue operations performed over
the SPOC Domestic Web Service (-queueSelfSvc no).
-lifetime years | months Finds Document Verifiers with a specific certificate lifetime in years,
| weeks | days <value> months, weeks, or days. Must be between one day and 25 years.
-super <value> Finds Document Verifiers with a specific custom domestic CVCA,
where <value> is the holder identity of the CVCA.
Parameter Description
Parameter Description
-reset Resets the existing custom Document Verifier policy settings to the
Document Verifier policy defaults.
Note: If you specify new custom policy settings, the new custom
settings replace the existing values.
-ar F | I | FI | "" Specifies the custom holder access rights for the Document Verifier:
• F (fingerprint only)
• I (iris only)
• FI (fingerprint and iris)
• "" (none)
If you do not specify custom holder access rights, it defaults to the
setting in the Document Verifier policy. See “Configuring the
Document Verifier policy” on page 1056 for information about
viewing and changing the Document Verifier policy.
Note: The access rights for a Document Verifier cannot exceed the
access rights held by the CVCA. If you specify access rights for a
Document Verifier that the CVCA does not hold, the CVCA will not
add those access rights when issuing a certificate to the Document
Verifier.
-selfSvc yes | no Specifies whether the Document Verifier can use the SPOC Domestic
Web Service to request certificates from the CVCA.
If not specified, it defaults to the setting in the Document Verifier
policy. See “Configuring the Document Verifier policy” on
page 1056 for information about viewing and changing the
Document Verifier policy.
-queueSelfSvc yes | no Specifies whether the Document Verifier can queue operations
performed over the SPOC Domestic Web Service. Queuing
operations performed over the SPOC Domestic Web Service allows
Document Verifier administrators to authorize the operations.
If not specified, it defaults to the setting in the Document Verifier
policy. See “Configuring the Document Verifier policy” on
page 1056 for information about viewing and changing the
Document Verifier policy.
Parameter Description
-lifetime years | months Specifies the custom lifetime of the Document Verifier certificates in
| weeks | days <value> years, months, weeks, or days. Must be between one day and 25
years.
If you do not specify a custom certificate lifetime, it defaults to the
setting in the Document Verifer policy. See “Configuring the
Document Verifier policy” on page 1056 for information about
viewing and changing the Document Verifier policy.
Note: Document Verifier certificates cannot exceed the lifetime of
the issuing CVCA certificate. When issuing a Document Verifier
certificate, the CVCA will truncate the lifetime of the Document
Verifier certificate if it is set to exceed the lifetime of the CVCA
certificate.
-super <value> Specifies the holder identity of the Document Verifier’s domestic
CVCA. Specify a domestic CVCA if more than one CVCA uses the
same country code, or if the domestic CVCA uses a different country
code.
If the CVCA holder identity does not exist, an error occurs and the
operation fails.
If you do not specify a domestic CVCA, Security Manager
determines if the Document Verifier is a domestic or foreign
Document Verifier based on the country code in the holder identity:
• If the country code matches your CVCA’s country code, it is a
domestic Document Verifier, regardless of whether other CVCAs
exist with the same country code.
• If the country code is different than your CVCA’s country code, it
is a foreign Document Verifier.
Note: If the country code of the Document Verifier matches your
CVCA’s country code, the Document Verifier uses a Domestic DV
license. If the country code is different than your CVCA’s country
code, the Document Verifier uses a Foreign DV license. Specifying a
domestic CVCA does not determine which license to use.
You have now modified a Document Verifier. The changes take effect the next time
you process a Document Verifier certificate request (see “Processing Document
Verifier certificate requests” on page 1091).
4 (Optional.) In the Supervising CVCA Identity field, enter the holder identity of
the Document Verifier’s domestic CVCA. Specify a domestic CVCA if more than
one CVCA uses the same country code, or if the domestic CVCA uses a different
country code.
If the CVCA holder identity does not exist, an error occurs and the operation fails.
If you do not specify a domestic CVCA, Security Manager determines if the
Document Verifier is a domestic or foreign Document Verifier based on the
country code in the holder identity:
• If the country code matches your CVCA’s country code, it is a domestic
Document Verifier, regardless of whether other CVCAs exist with the same
country code.
• If the country code is different than your CVCA’s country code, it is a foreign
Document Verifier.
3 Verify that you want to activate the Document Verifier and then click Activate.
Note:
By default, a Document Verifier is a foreign Document Verifier if the country code
in the Document Verifier holder identity is different from the country code in the
CVCA holder identity. However, more than one CVCA can share a country code
and a CVCA can use a different code than the domestic Document Verifier. If
required, modify a Document Verifier to specify its domestic CVCA (see
“Modifying Document Verifiers” on page 1071).
If the certificate request contains an outer signature, Security Manager confirms that
the certificate request was signed by the requesting Document Verifier, ensures that
the Document Verifier certificate that authenticated the certificate request was issued
by the CVCA and is valid, and verifies the outer signature.
If the certificate request does not contain an outer signature, Security Manager
generates and displays validation strings.
Note:
You cannot countersign a DVs certificate request unless the DV has been added
to the CVCA (see “Adding Document Verifiers” on page 1060).
Parameter Description
<inputFile> The file name of the file containing the Document Verifier certificate
request.
<ouputFile> The file name of the file where Security Manager writes the
countersigned Document Verifier certificate request.
5 Click Countersign.
The Countersigned Certificate Request Details pane appears.
Parameter Description
Parameter Description
<input file> The file name of the Document Verifier certificate request file.
Note:
You cannot countersign a DVs certificate request unless the DV has been added
to the CVCA (see “Adding Document Verifiers” on page 1060).
Parameter Description
-allow expired If a Document Verifier loses its key, the Document Verifier must
produce a subsequent certificate request without an outer signature.
-allow unauthenticated
Use the -allow unauthenticated parameter to process a
-allow countersigned subsequent certificate request without an outer signature. You must
also specify either the -oobAuth or -valStrAuth parameter.
If a Document Verifier allows all its certificates to expire, the
Document Verifier must produce an unauthenticated certificate
request, or a certificate request authenticated by an expired
certificate. Use the -allow expired parameter to process a
certificate request produced by an expired certificate.
A foreign CVCA can countersign a Document Verifier certificate
request intended for another CVCA (see “Countersigning
Document Verifier certificate requests” on page 1085). The
-allowed countersigned parameter allows the CVCA to accept a
subsequent certificate request countersigned by a foreign CVCA.
<inputFile> The file name of the file containing the Document Verifier certificate
request.
<ouputFile> The file name of the file where Security Manager writes the
Document Verifier certificate.
You have now processed the Document Verifier certificate request and generated a
new Document Verifier certificate. If Security Manager fails to write the Document
Verifier certificate to the local file system, Security Manager displays an error, and you
Note:
The file containing the certificate request must be in DER format.
Note:
Validation strings are only required for certificate requests without an outer
signature. The CVCA can cryptographically verify certificate requests with an
outer signature.
Note:
DV certificates do not contain elliptic curve domain parameters. When displaying
the key type for elliptic curves, Security Manager will display the elliptic curve
size. For example, if the key type is EC-ansix9p256r1, Security Manager will
display EC-256 as the key type.
CV Certificate:
Certificate Body:
Profile Identifier: 0
Authority Reference: CAcvca00001
Public Key: EC Public Key (CV format)
OID: id-TA-ECDSA-SHA-256 (0.4.0.127.0.7.2.2.2.2.3)
Key Type: EC-256
Public Point: 044518AEF85A20C9E24107E2750D0CB886275D4A713095F61
5405275B51333000F39141EB3830186BF9E91FE3C31BBB2EC
27FBF0E889E4543786759CC1E450FCD9
Holder Reference: CAdvCA001
Holder Authorization: ePassport Terminal Authentication
OID: id-EAC-ePassport (0.4.0.127.0.7.3.1.2.1)
Discretionary Data: 81
Role: DV (domestic)
Access Rights: Fingerprint only
Effective Date: February 10, 2009 GMT (090210)
Expiration Date: February 10, 2012 GMT (120210)
Signature: C2EFF6F5C663BB8BE8724F6564EE5EF8EA53033FD193FD284
7C1DE437F5B6FD39FC0745E702F156CBD01025A1209D9D5BE
13AB6BD5F9397F73525A563774787D
3 To view a specific Document Verifier certificate, click the holder reference of the
certificate that you want to view.
The View Certificate pane appears.
Note:
DV certificates do not contain elliptic curve domain parameters. When displaying
the key type for elliptic curves, Security Manager will display the elliptic curve
size. For example, if the key type is EC-ansix9p256r1, Security Manager will
display EC-256 as the key type.
Parameter Description
<output file> The file name of the file where Security Manager writes the
Document Verifier certificate.
You have now exported a Document Verifier certificate. Send the Document Verifier
certificate to the Document Verifier administrator using a secure method, such as
secure email or diplomatic courier.
Only operations that you can approve or cancel are displayed in this pane.
Approve adds an approval to the operation. If this completes the number of
approvals required, the operation proceeds.
Cancel changes the status of the request to canceled. You must supply a reason
for canceling the request. The request will remain in the queue with its new
status.
Cancel and Delete cancels the request and deletes it from the queue.
4 Set the search options to return the results that you require. For example, All
queued operations that I can approve or all queued operations submitted on a
particular date. Use the options in combination create the list of search results
that fits your needs.
5 Click Submit.
1109
Customizing the CVCA Administration interface
When customizing the CVCA Administration interface, you can make several
changes to reflect the corporate identity of your company. This section provides you
with details about how to apply those changes.
Note:
Any changes you make may require you to complete manual tasks when you
upgrade to the next version of Administration Services. It is recommended that
you keep track of the changes you make.
Figure 26: Custom application title for CVCA Administration dynamic pages
commonpage.css Defines the styles for elements common to all pages in the
interface, such as the title bar.
help.css Defines the styles for the CVCA Administration online help.
style.css Loads all the CSS files except the help.css file.
Only someone with a good knowledge of CSS should edit the CSS files. When editing
the CSS files, take care not to make any changes that can break the CVCA
Administration interface. Always back up a file before making any edits to the file.
Note:
Do not remove the en_US folder. It is the default locale.
1121
Localization overview
Localization is the process of modifying or adapting a software application to fit the
requirements of a particular locale. Localization includes translating application text
to conform with a specific locale, and it might also include modifying the date, time,
and currency formats.
About locales
A locale is specific geographic, political, or cultural region. Locales are generally
specified using a language code combined with a country code.
Language codes are two-letter codes defined by ISO 639 Code for the representation
of the names of languages. By convention, language codes are shown in lower case.
Some common examples include:
• en—English
• fr—French
• ja—Japanese
• ko—Korean
• zh—simplified and traditional Chinese
Country codes are two-letter codes defined by ISO 3166 Country Codes. By
convention, country codes appear in upper case. Some common examples include:
• CA—Canada
• US—United States
• GB—United Kingdom (Great Britain)
• JP—Japan
• CN—China
Defining locales
Locales are generally specified using a combination of a language code and a country
code. The most common interpretation of this standard is the two-letter language
code followed by the two-letter country code, for example:
• fr_CA—French (Canada)
• en_US—English (United States)
• en_GB—English (United Kingdom)
• ja_JP—Japanese (Japan)
Table 65: CVCA Administration files to translate for your new locale
Note:
If your browser's default language is your localized language, the localized page
will appear with a link to the English page.
Security classes
3 Commands with no key icon are non-harmful commands not
requiring access to the database. Require no authorization.
2 Non-harmful commands. Autologin must be enabled or you must be
logged in to an active Security Manager Control Command Shell
session.
1 Commands requiring access to the database but not causing
irreversible change. You must be logged in to an active Security
Manager Control Command Shell session.
0 Commands causing a policy change or update that may be
irreversible. Requires one additional Master User password if policy
has been set to require multiple authorizations.
1133
Table 66: cvca commands
This section provides instructions for installing a Single Point of Contact (SPOC),
installing and configuring Administration Services, and administering the SPOC.
This section contains the following chapters:
• “Installing a SPOC CA” on page 1153
• “Deploying the SPOC services” on page 1161
• “Configuring the SPOC services” on page 1213
• “Administering a Single Point of Contact” on page 1223
• “Customizing SPOC Administration” on page 1277
• “Localizing SPOC Administration” on page 1283
• “SPOC Domestic Web Service API reference” on page 1291
1151
1152 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0
Report any errors or omissions
40
Installing a SPOC CA
Before you can administer a Single Point of Contact (SPOC), you must install a SPOC
Certification Authority (CA). Installing a SPOC CA requires that you install, configure
and initialize Security Manager as a SPOC CA.
This chapter includes the following sections:
• “Installing and configuring Security Manager” on page 1154
• “Configuring the SPOC CA” on page 1157
• “Post-configuration steps” on page 1160
1153
Installing and configuring Security Manager
Before installing Security Manager, ensure that you read all preinstallation
information described in the Security Manager 8.3 Installation Guide. Ensure that
you install and configure a supported LDAP directory and database as described in
the Security Manager 8.3 Installation Guide.
Note:
The distinguished name (DN) of the SPOC CA must include c=<country>, where
<country> is the country code of the country represented by the SPOC. For
example, the DN for a Canada SPOC CA must include c=CA. When installing and
configuring the Security Manager directory, ensure that the directory suffix or CA
DN includes c=<country>. The two-letter country code must be in uppercase
characters to meet the ISO 3166 standard.
Attention:
Not all Security Manager client applications support all the algorithms that you
can select when configuring Security Manager. When configuring Security
Manager, ensure that you select algorithms supported by all the client
applications that you plan to use.
1 For CA Type:
• If the SPOC CA will be a root CA, click Root CA.
• If the SPOC CA will be an intermediate CA (called a subordinate CA in
Security Manager), click Subordinate CA.
Note:
If you will configure your CA as an intermediate CA (called a subordinate CA in
Security Manager), ensure that the root CA is configured for the same level of
Microsoft compatibility. The root CA certificate must include an HTTP CRL
distribution point (CDP).
Note:
After you configure Security Manager, but before you initialize Security Manager,
you can customize the CDP information by editing the [CDP] section of the
entmgr.ini file. After initializing Security Manager, you customize CDP
information by editing the certificate specifications.
1161
• “Configuring SPOC Domestic Web Service authentication to a directory
without anonymous access” on page 1205
• “Configuring SPOC administrators for PKCS #12 enrollment” on page 1207
• “Creating SPOC administrators” on page 1208
• “Testing the SPOC Services” on page 1212
To create a new certificate types for SPOC Server and SPOC Client profiles
1 From the SPOC CA, export the Security Manager certificate specifications.
You can export the certificate specifications from Security Manager
Administration, or from the Security Manager Control Command Shell using the
fcs export command. See the Security Manager Administration User Guide or
Security Manager Operations Guide for details.
2 Open the certificate specifications file in a text editor.
3 Add the following to the [Certificate Types] section:
ent_spoc_tls_2kp=enterprise,ePassport - SPOC TLS Server 2-Key-Pair User,
_continue_=2-Key-Pair user for SPOC TLS Server.
ent_spoc_client_2kp=enterprise,ePassport - SPOC TLS Client 2-Key-Pair User,
_continue_=2-Key-Pair user for SPOC TLS Client.
4 Add the following to the [Extension Definitions] section:
[ent_spoc_tls_2kp Certificate Definitions]
1=Dual Usage
2=Verification
To create a new certificate definition policy for the new certificate types
1 Log in to Security Manager Administration for the SPOC CA.
2 In the tree view, expand Security Policy > User Policies.
To create a user entry for the SPOC Server profile using Security Manager
Administration
1 Log in to Security Manager Administration for the SPOC CA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.
c In the Add to drop-down list, select the searchbase where you want to add
the user entry (for example, select CA Domain Searchbase to add the user
entry to the default searchbase).
d Ensure that the Create profile check box is not checked.
4 Click the General tab.
5 From the Role drop-down list, select SPOC Role.
To create a user entry for the SPOC Client profile using Security Manager
Administration
1 Log in to Security Manager Administration for the SPOC CA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.
c In the Add to drop-down list, select the searchbase where you want to add
the user entry (for example, select CA Domain Searchbase to add the user
entry to the default searchbase).
d Ensure that the Create profile check box is not checked.
4 Click the General tab.
5 From the Role drop-down list, select SPOC Role.
6 Select the Certificate Info tab, and then complete the following:
Note:
If CVCA Administration or any non-ePassport service is already installed, the
CVCA must be an online CVCA.
This page lists all configured services (if any). Click Next to add a new service.
a In the SSL/TLS Port for SPOC Web Service field, enter the SSL port number
for the SPOC Web Service (by default 443 or 7443).
This is the port that foreign SPOCs will use to access your SPOC Web Service.
b In the SSL/TLS Port for SPOC Domestic CVCA Web Service field, enter the
SSL port number for the SPOC Domestic Web Service (by default 6443).
c In the SSL/TLS Port for SPOC Administration Web Service field, enter the
SSL port number for SPOC Administration (by default 8443).
d Click Next.
Note:
You may have obtained an entire chain of CVCA certificates from your domestic
CVCA. The instructions for adding additional domestic CVCA certificates to
SPOC are included at the end of this procedure.
c Click Next.
If the CVCA is offline, proceed to Step 15 on page 1189.
a In the text field, enter the full path and file name of the entrust.ini file
you obtained from your domestic CVCA, or click Choose to locate the file.
b Click Next.
a In the Enter the location of the SPOC Domestic CVCA Profile field, click
Choose to locate and select the SPOC Domestic Web Service profile (EPF
file).
b In the Enter the Password to login to your SPOC Domestic CVCA Profile
field, enter the password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the SPOC Domestic Web Service profile.
b In the Enter the Password to login to your SPOC Domestic CVCA Profile
field, enter the password for the profile.
c Click Next.
a In the text field, enter the full path and file name of the entrust.ini file
you obtained from your SPOC CA, or click Choose to locate the file.
b Click Next.
a In the Enter the location of the SPOC Profile field, click Choose to locate and
select the SPOC Server profile (EPF file).
b In the Enter the Password to login to your SPOC Profile field, enter the
password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the SPOC Server profile.
b In the Enter the Password to login to your SPOC Profile field, enter the
password for the profile.
c Click Next.
a In the Enter the location of the SPOC Client Profile field, click Choose to
locate and select the SPOC Client profile (EPF file).
b In the Enter the Password to login to your SPOC Client Profile field, enter
the password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the SPOC Client profile.
b In the Enter the Password to login to your SPOC Client Profile field, enter
the password for the profile.
c Click Next.
a To use the service you just installed, you must restart the Administration
Services application server.
– To start the service automatically after exiting the installer, select Start the
service automatically. By default, this option is already selected.
– To not start the service after exiting the installer, deselect Start the service
automatically. You must manually restart Administration Services to use the
new service.
b Click Next.
26 If your domestic CVCA is offline and you obtained an entire chain of CVCA
certificates:
a Save the CVCA certificates you obtained from your domestic CVCA to the
following location:
<AS-install>\services\spoc\spoc\domestic-cvca-certs
b Restart Administration Services.
The URL to the SPOC WSDL (Web Service Definition Language) file is
https://<host_name>:<port>/spoc/wsdl/spoc.wsdl, where:
• <host_name> is the fully qualified host name of the server hosting the SPOC
services.
To create a user entry for a SPOC administrator using the User Management
Service
1 Log in to the User Management Service for the SPOC CA.
2 Click the Accounts tab.
3 Click the Create Account tab.
4 In the User Type drop-down list, select a user type.
User types determine which attributes and object classes are included in the user’s
distinguished name.
5 In the Certificate Type drop-down list, select Enterprise - ePassport - SPOC
Administrator.
6 In the available text fields, enter the name that will become the common name
of the user entry. An asterisk (*) appears beside required fields. You must enter
information into all fields marked with asterisks.
7 From the Role drop-down list, select SPOC Administrator.
To create the SPOC administrator credentials as a PKCS #12 security store, the
client policy (user policy) assigned to the role must allow PKCS #12 export. For
details, see “Configuring SPOC administrators for PKCS #12 enrollment” on
page 1207.
8 Complete the rest of the information as required. See the Administration Services
User Administration Guide for more information.
9 Click Submit.
The information is sent to Security Manager. Security Manager returns activation
codes (reference number and authorization code) and displays them in the
Account Details page.
Record these activation codes in a secure manner, as they are required later to
create and activate the user’s Entrust digital ID.
Note:
The security dialog box may appear behind the browser window. Click the dialog
box’s window icon in the taskbar to bring the dialog box to the front.
1213
Configuring SPOC services logs
The SPOC services—SPOC Administration, SPOC Web Service, and SPOC Domestic
Web Service—share a log file. This log file contains messages related to the operation
of the SPOC services.
Administration Services allows you to customize the SPOC services log file settings.
You can configure the following log settings:
• the log file name and location
• the level of messages recorded in the file
• the maximum size the log file can reach before a new log file is created
• the number of old log files to retain
Setting Description
<Level> Sets the level of detail for the logs.
The logging level can be one of (in increasing severity) TRACE, DEBUG,
INFO, WARNING, ERROR, ALERT, or FATAL. This sets the lowest level of
message to show. For example, ERROR provides messages of ERROR,
ALERT and FATAL status.
Default: INFO
<FileName> Sets the name (including path) of the log file.
Default: <AS-install>\services\spoc\spoc\logs\spoc_spoc.log
<FileSize> Sets the maximum size of a log file, in bytes.
Default: 1000000
Do not set the value to 0, or Apache Tomcat will fail to start.
<Backups> Sets the maximum number of log files to keep. After the last log file
reaches the maximum size, the first log file is overwritten.
Default: 10
Setting Description
<Server> An instance setting that sets the Uniform Resource Locator (URL)
address for the XAP Server. SPOC sends requests to this URL.
Note: This setting is defined during installation and should not be
changed.
Setting Description
<Connections> The initial number of connections that SPOC opens with the XAP
server when Administration Services starts. The number of
connections to the XAP server increases automatically up to the
maximum when the number of users concurrently using
Administration Services increases.
Default value: 2
<IdleTimeout> Specifies the length of time (in minutes) that SPOC allows a
connection with the XAP server to remain idle before closing it
and creating a new connection.
Default value: 30
<MaxConnections> The maximum number of connections SPOC opens with the XAP
Server. After reaching the maximum, connections are
automatically closed after use. Since new messages cannot be
sent to the XAP server until a connection is available, repeatedly
reaching this maximum may slow system performance.
Default value: 50
Setting Description
<OutgoingThreadTime> Controls how often (in minutes) the outgoing message thread
checks for outbound requests not yet in the Completed state and
tries to advance their state. For example:
<OutgoingThreadTime>1</OutgoingThreadTime>
For example, a value of 5 indicates that the outgoing message
thread checks the outbound requests every five minutes. If you
enter a value of 0, the outgoing message thread continuously
monitors the outbound requests.
Default: 1
<IncomingThreadTime> Controls how often (in minutes) the incoming message thread
checks for inbound requests not yet in the Completed state and
tries to advance their state. For example:
<IncomingThreadTime>5</IncomingThreadTime>
For example, a value of 5 indicates that the incoming message
thread checks the inbound requests every five minutes. If you enter
a value of 0, the incoming message thread continuously monitors
the inbound requests.
Default: 5
1223
Creating SPOC DVCKM Client credentials for
Document Verifiers
When installing the DVCKM (see “Installing the DVCKM” on page 1388), the
installer prompts for a SPOC DVCKM Client profile. The SPOC DVCKM Client profile
secures SSL communications between the DVCKM and the SPOC Domestic Web
Service to automatically receive Document Verifier (DV) certificate requests without
intervention from an administrator.
A PKI administrator at the SPOC CA must create a SPOC DVCKM Client profile for
each domestic DV. Do not create SPOC DVCKM Client profiles for foreign DVs. Only
domestic DVs communicate with the domestic SPOC.
Note:
There can be only one SPOC DVCKM Client instance for each Document Verifier.
For details about creating SPOC DVCKM Client profiles, see the following:
• “Creating a user entry for a SPOC DVCKM Client profile” on page 1224
• “Creating a SPOC DVCKM Client profile” on page 1225
• “Updating the SPOC DVCKM Client profile keys” on page 1226
To create a user entry for the SPOC DVCKM Client profile using Security
Manager Administration
1 Log in to Security Manager Administration for the SPOC CA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
Note:
The CVCA cannot be offline if you install CVCA Administration or any X.509
service. You specified whether the CVCA was online or offline when you installed
Administration Services (see “Installing the SPOC services” on page 1178).
If the domestic CVCA is offline, you already provided your SPOC with the initial root
CVCA certificate when you install Administration Services (see “Installing the SPOC
services” on page 1178). If the domestic CVCA keys were updated, then your SPOC
requires the entire chain of domestic CVCA certificates, from the initial root CVCA
certificate to the latest link certificate.
Note:
The security dialog box may appear behind the browser window. Click the dialog
box’s window icon in the taskbar to bring the dialog box to the front.
For each foreign SPOC, the list includes the country code of the foreign SPOC
and the URL of the foreign SPOC Web Service. If the URL is listed as Pending,
then the foreign SPOC is currently offline or has not yet added your SPOC to its
list of foreign SPOCs.
Note:
A URL of Pending may also indicate that your SPOC CA was incorrectly
configured (see “Installing a SPOC CA” on page 1153 for information about
configuring a SPOC CA). It is recommended that you contact the foreign SPOC
administrator to confirm whether your SPOC is still pending. You may need to
restart Administration Services.
4 In the Foreign SPOC ID column, click the country code of the foreign SPOC you
want to edit.
The Edit Foreign SPOC pane appears.
4 In the row corresponding to the foreign SPOC that you want to delete, click
Delete.
A confirmation dialog box appears.
Note:
A Document Verifier will automatically request DV certificates from a CVCA if
you configured it to automatically exchange certificates with the SPOC through
the DVCKM and SPOC Domestic Web Service (see “Configuring
communications between the DVCKM and SPOC Domestic Web Service” on
page 1492).
The Outbound Message Details pane provides details about the outbound message
you sent to the foreign SPOC. The Inbound Response Details pane provides details
received from the foreign SPOC.
8 If the foreign SPOC automatically replied to the request with a DV certificate, you
can view and export the CVCA certificate:
a Click View Certificate to view the DV certificate. You must view the
certificate before you can export it to a file.
The View Certificate page appears.
4 In the Foreign SPOC ID drop-down list, select the country code of the foreign
SPOC that will receive the outbound message.
5 Under Message Type, click Send new CVCA certificates.
A Certificate Filename field and Attach another certificate command appear at
the bottom of the pane.
6 For the Certificate Filename field, click Browse to select the file containing the
CVCA certificate.
7 To attach another certificate to the outbound request, click Attach another
certificate to add another field under Certificate Filename. Repeat the previous
step to attach another certificate to the outbound request.
8 Click Submit.
The Outbound Message Details pane provides details about the outbound message
you sent to the foreign SPOC. The Inbound Response Details pane provides details
received from the foreign SPOC.
If you sent more than one CVCA certificate, the chain of CVCA certificates sent
appears in a Certificate List pane. The initial root CVCA certificate is listed as
Certificate 1. Subsequent link and root certificates are listed as Certificate 2,
Certificate 3, and so on.
9 If required, you can view and export any CVCA certificates you sent to the
foreign CVCA.
a Click View Certificate to view the CVCA certificate. You must view the
certificate before you can export it to a file.
The View Certificate page appears.
4 In the Foreign SPOC ID drop-down list, select the country code of the foreign
SPOC that will receive the outbound message.
5 Under Message Type, click Send a general message.
A Subject field and Body text box appear at the bottom of the page.
6 In the Subject field, enter a subject for your message.
4 Click the country code corresponding to the outbound request that you want to
delete.
The View Details page appears. For example:
• For the Manual state, you can send a failure response by clicking Send Failure
Response.
You may need to send a failure response if a problem occurred when
manually processing a request at the domestic CVCA. It is recommended
that you contact the foreign SPOC (see “Sending general messages to
foreign SPOCs” on page 1247) and request help to resolve the problem.
If you select Send Failure Response, the Send Failure Response page
appears. For example:
PG : c:\PG.p12
US : c:\US.p12
GB : c:\GB.p12
1277
Customizing the SPOC Administration interface
When customizing the SPOC Administration interface, you can make several changes
to reflect the corporate identity of your company. This section provides you with
details about how to apply those changes.
Note:
Any changes you make may require you to complete manual tasks when you
upgrade to the next version of Administration Services. It is recommended that
you keep track of the changes you make.
Figure 30: Custom application title and browser title for SPOC Administration
commonpage.css Defines the styles for elements common to all pages in the
interface, such as the title bar.
style.css Loads all the CSS files except the help.css file.
Only someone with a good knowledge of CSS should edit the CSS files. When editing
the CSS files, take care not to make any changes that can break the SPOC
Administration interface. Always back up a file before making any edits to the file.
Note:
Do not remove en_US as it is the default locale.
1283
Localization overview
Localization is the process of modifying or adapting a software application to fit the
requirements of a particular locale. Localization includes translating application text
to conform with a specific locale, and it might also include modifying the date, time,
and currency formats.
About locales
A locale is specific geographic, political, or cultural region. Locales are generally
specified using a language code combined with a country code.
Language codes are two-letter codes defined by ISO 639 Code for the representation
of the names of languages. By convention, language codes are shown in lower case.
Some common examples include:
• en—English
• fr—French
• ja—Japanese
• ko—Korean
• zh—simplified and traditional Chinese
Country codes are two-letter codes defined by ISO 3166 Country Codes. By
convention, country codes appear in upper case. Some common examples include:
• CA—Canada
• US—United States
• GB—United Kingdom (Great Britain)
• JP—Japan
• CN—China
Defining locales
Locales are generally specified using a combination of a language code and a country
code. The most common interpretation of this standard is the two-letter language
code followed by the two-letter country code, for example:
• fr_CA—French (Canada)
• en_US—English (United States)
• en_GB—English (United Kingdom)
• ja_JP—Japanese (Japan)
Table 71: SPOC Administration files to translate for your new locale
GetCACertificates
Description: Returns a CVCA certificate chain, ensuring that the caller has the
most recent CVCA certificate chain for the desired country.
Request: javax.activation.DataHandler Certificate
This request parameter is optional. It contains a sample CVCA certificate. The
country will be derived from that sample certificate. All CVCA link certificates that
post date the sample certificate are returned. No self-signed root CVCA
1291
certificates are returned, as only the link certificates are required to form a chain
of trust.
If omitted, all domestic CVCA certificates are returned.
Response: javax.activation.DataHandler[] certificateChain
RequestCertificate
Description: Submits a DVCA certificate request for processing.
The certificate request can be for any country registered at the domestic SPOC.
The SPOC service will route it accordingly.
Request processing may be synchronous or asynchronous (pending result), and
the calling application must cope with either result. Pending results occur because
not all jurisdictions support automatic processing of DVCA certificate requests,
particularly initial certificate requests.
Request: javax.activation.DataHandler CertificationRequest
Response:
com.entrust.cvcaws.axis2.ResultCode. Returns one of the following:
– ResultCode.success
Indicates the certificate was returned successfully.
– ResultCode.pending
Indicates the request is being processed asynchronously. The calling routine
should poll the Web service (repeat the request) until a certificate is
returned.
– ResultCode.failure
The certificate was not returned.
org.apache.axis2.databinding.types.PositiveInteger PollingInterval. If polling is
required, this returns the recommended time in seconds to wait before retrying a
certificate request.
javax.activation.DataHandler Certificate
This section provides instructions for installing a Document Verifier (DV), installing
and configuring Administration Services, and administering the Document Verifier.
This section includes the following chapters:
• “Installing a Document Verifier” on page 1295
• “Deploying DV Administration” on page 1305
• “Deploying the DV Certificate Key Management Service” on page 1379
• “Deploying the DV Web Service” on page 1411
• “Configuring DV Administration” on page 1447
• “Configuring the DV Certificate Key Management Service” on page 1475
• “Configuring the DV Web Service” on page 1493
• “Administering a Document Verifier” on page 1517
• “Customizing DV Administration” on page 1633
• “Localizing DV Administration” on page 1645
• “DV command quick reference” on page 1655
1293
1294 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0
Report any errors or omissions
47
Note:
Configuring Security Manager as a Document Verifier is required for an Extended
Access Control (EAC) system. For a Basic Access Control (BAC)-only system, you
only need to configure Security Manager as an X.509 CA. In an Entrust BAC
system, you use the X.509 CA to create a profile for the DV Web Service, a DV
service provided by Administration Services.
1295
Installing and configuring Security Manager
Before installing Security Manager, ensure that you read all preinstallation
information described in the Security Manager 8.3 Installation Guide. Ensure that
you install and configure a supported LDAP directory and database as described in
the Security Manager 8.3 Installation Guide.
When using the countryName (c=) directory attribute to specify a two-letter country
code, the two-letter country code must be in uppercase characters to meet the ISO
3166 standard.
This chapter contains the following sections:
• “Installing and configuring Security Manager on Windows” on page 1296
• “Installing and configuring Security Manager on Linux” on page 1298
Attention:
Not all Security Manager client applications support all the algorithms that you
can select when configuring Security Manager. When configuring Security
Manager, ensure that you select algorithms supported by all the client
applications that you plan to use.
For Document Verifiers, enter the DV license information into the DV for
Inspection Systems tab.
The CVCA for Domestic DVs and CVCA for Foreign DVs tabs are for CVCAs
that manage Document Verifiers. If you mistakenly enter license information
into these tabs, click Clear Values to reset the license information.
b If you plan on using Administration Services to administer the Document
Verifier, select algorithms that are supported by Administration Services.
See the Administration Services Release Notes for information about which
algorithms are supported by Administration Services.
c For CA Type, click Root CA to configure the Certification Authority as a root
CA.
You can only configure a root CA as a Document Verifier. If you entered DV
license information earlier, you can only configure a root CA.
2 If you entered DV license information, the Configuration Information for DV
dialog box appears.
Note:
If you do not enter DV license information, Security Manager does not prompt
you to configure and initialize a DV. To configure and initialize a DV after
initializing Security Manager, see “Initializing a Document Verifier” on
page 1303.
Do not enter license information for the following prompts. These prompts
are for CVCA licenses. If you enter information into these prompts, you
cannot configure a Document Verifier.
Enter the CVCA licensing information for domestic DVs that
appears on your Entrust licensing card. This is optional at
this time. The information may be added at a later date by
modifying the entmgr.ini file.
Domestic DV Serial Number:
Domestic DV User Limit:
Domestic DV Licensing Code:
Enter license information for the following prompts. These prompts are for
your Document Verifier license.
Enter the DV licensing information for Inspection Systems that
appears on your Entrust licensing card. This is optional at
this time. The information may be added at a later date by
modifying the entmgr.ini file.
IS Serial Number:
IS User Limit:
IS Licensing Code:
b If you plan on using Administration Services to administer the Document
Verifier, select algorithms that are supported by Administration Services.
See the Administration Services Release Notes for information about which
algorithms are supported by Administration Services.
c Security Manager will prompt you to configure the CA as a root CA or a
subordinate CA:
A hierarchy of CAs comprises several CAs linked into a tree
structure. There is a single CA which unites the tree into a
single structure. This CA is the "Root CA". A CA which does not
participate in a hierarchy is also referred to as a "Root CA"
since it may have subordinates at some time in the future. Any
other CA in the hierarchy is called a "Subordinate CA".
To initialize a DV
1 Log in to Security Manager Control Command Shell (see “Logging in to Security
Manager Control Command Shell” on page 1518).
2 At the prompt, enter
dv init <country code> <mnemonic>
Where:
• <country code> is an ISO 3166-1 ALPHA-2 country code.
• <mnemonic> is a unique label for the DV certificate. The label must be
between one and nine ISO 8859-1 Latin-1 characters.
3 If the services are running, Security Manager prompts you to restart the services:
This will restart the services. proceed (y/n) ? [y]
Enter y to restart the services.
You have now initialized a DV.
Deploying DV Administration
This chapter describes how to deploy DV Administration. DV Administration is a
service provided by Entrust Authority Administration Services.
DV Administration is a Web-based interface for administering a Document Verifier.
DV administrators use DV Administration to manage DV certificates and certificate
requests, Inspection Systems, and Inspection System certificates and certificate
requests.
This chapter includes the following sections:
• “Deployment overview” on page 1306
• “Installing and configuring the Web server (optional)” on page 1307
• “Synchronizing Administration Services and Security Manager time settings”
on page 1310
• “Creating DV Administration Server credentials” on page 1311
• “Creating DV Administration XAP credentials” on page 1315
• “Checking the entrust.ini file” on page 1318
• “Installing DV Administration” on page 1320
• “Completing the Microsoft IIS front-end configuration for DV
Administration” on page 1351
• “Completing the Apache HTTP Server front-end configuration for DV
Administration” on page 1358
• “Configuring DV Administration to connect to the DVCA” on page 1364
• “Creating or modifying a user policy for DV administrators” on page 1368
• “Creating roles for DV administrators” on page 1371
• “Creating DV administrators” on page 1373
• “Testing DV Administration” on page 1377
1305
Deployment overview
Deploying DV Administration includes the following steps. Each step is described in
further detail in this chapter.
1 Review list of supported operating systems, Web servers, and Web browsers.
See the Entrust Authority Administration Services Release Notes. The most
recent Release Notes are posted on Entrust Datacard TrustedCare.
2 Install, configure, and test a supported Web server (see “Installing and
configuring the Web server (optional)” on page 1307).
3 Synchronize the application server and Security Manager Certification Authority
time setting (see “Synchronizing Administration Services and Security Manager
time settings” on page 1310).
4 Create Entrust profiles for Administration Services:
• “Creating DV Administration Server credentials” on page 1311
• “Creating DV Administration XAP credentials” on page 1315
5 Check the settings in the entrust.ini file (see “Checking the entrust.ini file” on
page 1318).
6 Install DV Administration (see “Installing DV Administration” on page 1320).
7 If you configured the CVCA Administration to use a front-end Web server, you
must complete the front-end configuration:
• “Completing the Microsoft IIS front-end configuration for DV
Administration” on page 1351
• “Completing the Apache HTTP Server front-end configuration for DV
Administration” on page 1358
8 Create or modify a user policy for DV administrators (see “Creating or modifying
a user policy for DV administrators” on page 1368).
The client policy (user policy) assigned to the roles used by DV administrators
must allow external authentication and optionally PKCS #12 export.
9 Create new roles for DV administrators (see “Creating roles for DV
administrators” on page 1371).
The operations that administrators can perform in DV Administration depends on
the administrator’s role. You can use existing pre-defined roles, or create new
roles for your DV administrators.
10 Create a user entry in Security Manager for each DV administrator (see “Creating
DV administrators” on page 1373).
11 Test that DV Administration was installed correctly (see “Testing DV
Administration” on page 1377).
Note:
Web Server SSL certificates must be issued by a Certification Authority.
Self-signed certificates are not supported.
You need a Web server certificate to enable SSL on your Web server. You can use the
following Entrust products to obtain Web server certificates:
• To generate large numbers of licensed Web server certificates, use Entrust
Authority Enrollment Server for Web.
Note:
You need to create a DV Administration Server profile only if you will not use a
front-end Web server with DV Administration. The Administration Services
installer will not prompt you for a DV Administration Server profile if you
configure the application server components for a front-end Web server.
To create a user entry for the DV Administration Server profile using Security
Manager Administration
1 Log in to Security Manager Administration for the DVCA.
2 Select User > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
To create a user entry for the DV Administration XAP profile using Security
Manager Administration
1 Log in to Security Manager Administration for the DVCA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.
c In the Add to drop-down list, select the searchbase where you want to add
the user entry (for example, select CA Domain Searchbase to add the user
entry to the default searchbase).
This page lists all configured services (if any). Click Next to add a new service.
a In the Host Name field, enter the fully qualified host name of your Web site.
For example, webserver.example.com.
b In the Port Number field, enter the SSL port number of your Web site (by
default 443).
c Click Next.
a In the Enter the SSL/TLS port number for the DV Administration Service
field, enter the SSL port number for the DV Administration instance (by
default 14443).
b Click Next.
If you chose to configure the Web server front-end, proceed to Step 15 on
page 1331.
a In the text field, enter the full path and file name of the entrust.ini file
from the Entrust CA that issued the DV Administration Server profile, or click
Choose to locate the file.
b Click Next.
a In the Enter the location of the DV Administration Profile field, click Choose
to locate and select the DV Administration Server profile (EPF file).
b In the Enter the Password to login to your DV Administration Profile field,
enter the password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the DV Administration Server profile.
b In the Enter the Password to login to your DV Administration Profile field,
enter the password for the profile.
c Click Next.
a In the Enter the Managed CA name field, enter a unique name for the DVCA.
Note:
The name is a friendly name to identify the DVCA, not the DV identity.
The name must be at least four characters long, and must contain only
letters, numbers, underscores, spaces, and hyphens. At least four characters
must be a combination of uppercase letters, lowercase letters, and numbers.
b Administration Services requires connection information to the DVCA and its
LDAP directory. The installer can take the information from the DVCA’s
entrust.ini file or you can provide the information manually.
– To use the information from the DVCA’s entrust.ini file, select Use
information from entrust.ini, and then enter the full path and file name of
the entrust.ini file into the Enter the location of the entrust.ini field or
click Choose to locate the file.
a In the Enter Manager Host Name field, enter the fully qualified domain name
of the server hosting the DVCA. For example, domain.example.com.
b In the Enter PKI Port Number field, enter the CMP port of the DVCA,
typically 829.
c In the Enter XAP Port Number field, enter the XAP port of the DVCA,
typically 443 or 1443.
d In the Enter LDAP Host Name field, enter the fully qualified domain name of
the DVCA’s LDAP directory. For example, ldap.example.com.
e In the Enter LDAP Port number field, enter the LDAP port of the directory
(typically 389).
f Click Next.
a In the Enter the location of the XAP Profile field, enter the full path and file
name of the DV Administration XAP profile issued by the DVCA, or click
Choose to select the file
b In the Enter the Password to login to your XAP Profile field, enter the
password for the DV Administration XAP profile.
c Click Next.
a To use the service you just installed, you must restart the Administration
Services application server.
– To start the service automatically after exiting the installer, select Start the
service automatically. By default, this option is already selected.
– To not start the service after exiting the installer, deselect Start the service
automatically. You must manually restart Administration Services to use the
new service.
b Click Next.
You can find the URLs to all installed services in the <AS-install>/services.txt
file.
This page lists all configured services (if any). Click Next to add a new service.
a Select the Web server that you will use for Administration Services.
b Click Next.
a In the Web Server’s Fully Qualified Host Name or IP Address field, enter the
fully qualified host name or IPv4 address of your Web site. For example,
webserver.example.com.
b In the Web Server’s SSL Port field, enter the SSL port number of your Web
site (by default 443).
c Click Next.
a Enter the path to the folder that contains the Web server’s configuration file
(httpd.conf file) or click Choose to select the folder that contains the file.
b Click Next to continue.
a In the text field, enter the fully qualified host name or IPv4 address of the
server hosting the application server components. For example,
appserver.example.com.
b Click Next.
a In the Enter the SSL/TLS port number for the DV Administration Service
field, enter the SSL port number for DV Administration (by default 14443).
b Click Next.
11 Click Finish.
Note:
If the file referenced by SSLCertificateChainFile or SSLCACertificateFile
contains too many certificates, Apache HTTP Server may fail to load all the
certificates. If the Web server fails to load all the certificates, it may be unable to
successfully maintain a session with the Web browser. To work around this issue,
you can use the SSLCACertificatePath setting instead of the
SSLCertificateChainFile or SSLCACertificateFile settings. For information
about using the SSLCACertificatePath setting, see the Apache HTTP Server
documentation.
• The SSLCertificateFile setting must specify the path and file name of a
PEM-encoded SSL server certificate. The path can be a path relative to the
Apache HTTP Server installation directory. For example:
SSLCertificateFile conf/ssl/server.crt
• The SSLCertificateKeyFile setting must specify the path and file name of
a private key file. The path can be a path relative to the Apache HTTP Server
installation directory. For example:
SSLCertificateKeyFile conf/ssl/server.key
Note:
If the file referenced by SSLCACertificateFile contains too many certificates,
Apache HTTP Server may fail to load all the certificates. If the Web server fails to
load all the certificates, it may be unable to successfully maintain a session with
the Web browser. To work around this issue, you can use the
SSLCACertificatePath setting instead of the SSLCACertificateFile setting.
For information about using the SSLCACertificatePath setting, see the Apache
HTTP Server documentation.
Setting Description
managedca.entrust.0. This setting specifies the unique ID for the DVCA. The value must be
uniqueid 0.
managedca.entrust.0. This setting specifies the IPv4 address or fully qualified domain name
host of the server hosting the DVCA.
managedca.entrust.0. This setting specifies the XAP port of the DVCA (typically 443 or
xapport 1443).
managedca.entrust.0. This setting specifies the PKIX-CMP port of the DVCA (typically 829).
pkixport
managedca.entrust.0. This setting specifies the IPv4 address or fully qualified domain name
ldap.host of the server hosting the DVCA’s LDAP directory.
Setting Description
managedca.entrust.0. This setting specifies the LDAP port of the directory (typically 389).
ldap.port
managedca.entrust.0. This setting specifies the full path and file name of the DV
xapexternalauthepf Administration XAP profile issued by the DVCA.
For information about creating DV Administration XAP profiles for the
DVCA, see “Creating DV Administration XAP credentials” on
page 1315.
managedca.entrust.0. This setting specifies the digest algorithm used to sign XAP messages.
digest.algorithm
Permitted values:
• sha1 for SHA-1.
• sha256 for SHA-256.
DV Administration signs the XAP message using the DV
administrator’s profile. If the profile has a DSA or ECDSA key pair, set
the XAP message signing algorithm to SHA-1.
If not specified, the default is SHA1.
managedca.entrust.0. Java Naming and Directory Interface (JNDI) credentials are required to
ldap.principal access the DVCA's LDAP directory when anonymous bind is not
available.
Setting Description
managedca.entrust.0. Java Naming and Directory Interface (JNDI) credentials are required to
ldap.credential access the DVCA's LDAP directory when anonymous bind is not
available.
This setting specifies the password for the JNDI Principal used to
connect to the directory. Administration Services will store the
password as an encrypted value.
If this setting is absent or has no value, then an anonymous bind is
used to connect to the directory.
managedca.entrust.0. This setting specifies the initial number of XAP connections that DV
xap.connections.initia Administration opens with the DVCA when Administration Services
l starts.
The number of XAP connections to the DVCA increases automatically
up to the maximum when the number of administrators concurrently
using Administration Services increases.
If not specified, the default is 4.
managedca.entrust.0. This setting specifies the maximum number of XAP connections that
xap.connections.max DV Administration opens with the DVCA.
After reaching the maximum, connections are automatically closed
after use. Since new XAP messages cannot be sent to the DVCA until
a connection is available, repeatedly reaching this maximum may slow
system performance.
If not specified, the default is 20.
managedca.entrust.0. This setting specifies the length of time (in minutes) that DV
xap.connections.idle.t Administration allows a XAP connection with the DVCA to remain idle
imeout before closing it and creating a new connection.
If not specified, the default is 30 minutes.
managedca.entrust.0. This setting specifies the maximum length of time (in seconds) that DV
xap.connections.sock Administration waits for a DVCA to accept a XAP connection before
et.timeout returning an error.
This setting prevents DV Administration from hanging indefinitely if
the DVCA does not accept the connection; for example, if the DVCA
server is too busy to accept the connection.
If not specified, the default is 60 seconds.
Setting Description
To modify an existing user policy to allow PKCS #12 export and XAP external
authentication
1 Log in to Security Manager Administration for the DVCA.
2 In the tree view, expand Security Policy > User Policies.
3 Select the user policy to modify. For example, select Administrator Policy to
modify the user policy assigned to the predefined EAC Administrator and EAC
Auditor roles.
4 Under Policy Attributes:
a Select Allow PKCS#12 Export.
This setting allows users to export their digital ID to a PKCS #12 file.
b Select All Exportable.
This setting allows all private keys to be exported.
c (Optional.) Change the value of Minimum PKCS#12 Hash Count.
This setting specifies the minimum number of times that the user-supplied
password for the PKCS #12 file is hashed during export. You can enter a
To create a new user policy to allow PKCS #12 export and XAP external
authentication by copying the Administrator Policy user policy
1 Log in to Security Manager Administration for the Entrust Managed CA.
2 In the tree view, expand Security Policy > User Policies.
3 Select Administrator Policy.
4 Select Policies > User Policies > Selected User Policy > Copy.
The Copy User Policy dialog box appears.
5 In the Label field, enter DV Administrator Policy.
6 In the Common name field, enter DV Administrator Policy.
7 In the Add to drop-down list, select the searchbase where you want to store the
user policy.
8 Under Policy Attributes:
a Select Allow PKCS#12 Export.
This setting allows users to export their digital ID to a PKCS #12 file.
b Select All Exportable.
This setting allows all private keys to be exported.
c (Optional.) Change the value of Minimum PKCS#12 Hash Count.
This setting specifies the minimum number of times that the user-supplied
password for the PKCS #12 file is hashed during export. You can enter a
value between 1 (very weak) to 10000 (very secure). The default value of
2000 is sufficient for most deployments.
d Select Allow use with external authentication.
To test DV Administration
1 Open a Web browser.
2 Enter the following URL in your Web browser:
https://<host_name>:<port>/<instance>
Where:
• <host_name> is the fully qualified host name of the server hosting DV
Administration.
• <port> is the SSL port for DV Administration (by default 14443).
• <instance> is the URL path of the DV Administration instance. You specified
the URL path when you installed DV Administration. For example, the
default URL path for DV Administration is DVAdmin.
For example:
https://webserver.example.com:14443/DVAdmin
The login page appears.
3 When prompted to select a user certificate, select a user certificate for a DV
administrator.
4 A security dialog may appear, prompting you to allow the application to access
the private key.
Note:
The security dialog box may appear behind the browser window. Click the dialog
box’s window icon in the taskbar to bring the dialog box to the front.
1379
Deployment overview
Deploying the DVCKM includes the following steps. Each step is described in further
detail in this chapter.
1 Review list of supported operating systems, Web servers, and Web browsers.
The Entrust Authority Administration Services Release Notes. The most recent
Release Notes are posted on Entrust Datacard TrustedCare.
2 Synchronize the application server and Security Manager Certification Authority
time setting (see “Synchronizing Administration Services and Security Manager
time settings” on page 1381).
3 Create an Entrust profile for the DVCKM (see “Creating DVCKM credentials” on
page 1382).
4 Check the settings in the entrust.ini file (see “Checking the entrust.ini file” on
page 1385).
5 Obtain files from the domestic SPOC that are required to install the DVCKM (see
“Obtaining files from the domestic SPOC for the DVCKM” on page 1387).
6 Install the DVCKM (see “Installing the DVCKM” on page 1388).
7 If the Security Manager directory does not allow anonymous authentication, you
must configure authentication to the directory:
• “Configuring DVCKM authentication to a directory without anonymous
access” on page 1407
• “Configuring SPOC DVCKM Client authentication to a directory without
anonymous access” on page 1409
To create a user entry for the DVCKM profile using Security Manager
Administration
1 Log in to Security Manager Administration for the DVCA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.
c In the Add to drop-down list, select the searchbase where you want to add
the user entry (for example, select CA Domain Searchbase to add the user
entry to the default searchbase).
d Ensure that the Create profile check box is not checked.
4 Click the General tab.
5 From the Role drop-down list, select EAC DV CKM Administrator.
6 Select the Certificate Info tab, and then complete the following:
This page lists all configured services (if any). Click Next to add a new service.
Note:
The Document Verifier Certificate Key Management (DVCKM) option is disabled
if DV Administration has not been installed. You must install DV Administration
before you can install the DVCKM. See “Deploying DV Administration” on
page 1305 for information about deploying DV Administration.
a In the text field, enter the full path and file name of the entrust.ini file
from the Entrust CA that issued the DVCKM profile, or click Choose to locate
the file.
b Click Next.
a In the Enter the location of the DVCKM Profile field, click Choose to locate
and select the DVCKM profile (EPF file).
b In the Enter the Password to login to your DVCKM Profile field, enter the
password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the DVCKM profile.
b In the Enter the Password to login to your DVCKM Profile field, enter the
password for the profile.
c Click Next.
a In the text field, enter the full path and file name of the entrust.ini file
that you obtained from your domestic SPOC CA, or click Choose to locate
the file.
b Click Next.
a In the Enter the location of the SPOC DVCKM Client Profile field, click
Choose to locate and select the SPOC DVCKM Client profile (EPF file).
b In the Enter the Password to login to your SPOC DVCKM Client Profile field,
enter the password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the SPOC DVCKM Client profile.
b In the Enter the Password to login to your SPOC DVCKM Client Profile field,
enter the password for the profile.
c Click Next.
a In the text field, enter the URL to the SPOC Domestic Web Service.
The SPOC Domestic Web Service URL is in the form of
https://<FQDN>:<port>/spoc/services/CvcaService, where:
– <FQDN> is the fully qualified domain name of the server hosting the SPOC
Domestic Web Service.
– <port> is the secure port that the SPOC Domestic Web Service listens on,
typically 9443.
For example:
https://spoc.example.com:9443/spoc/services/CvcaService
b Click Next.
a To enable email notification for DVCKM, select Enable Email Notification for
DVCKM.
If you select this option, the email notification settings are enabled.
b If you chose to enable email notification for DVCKM:
– In the Enter the SMTP Server Fully Qualified Domain Name field, enter the
fully qualified domain name of the SMTP server.
– In the SMTP Server Port field, enter the port number used by the SMTP
server (by default 25).
– In the Enter the DVCKM Administrator Email Address field, enter the email
address where administrators will receive email notification messages.
DVCKM sends messages to this address only if the event is not meant for
a particular object. For example, if a user performs an action that requires
an administrator’s approval, DVCKM sends the message to this email
address.
– In the Enter the DVCKM Appears From Email Address field, enter the email
address that will appear in the email message’s From field of the email
message.
c Click Next.
a To use the service you just installed, you must restart the Administration
Services application server.
– To start the service automatically after exiting the installer, select Start the
service automatically. By default, this option is already selected.
– To not start the service after exiting the installer, deselect Start the service
automatically. You must manually restart Administration Services to use the
new service.
b Click Next.
You can find the URLs to all installed services in the <AS-install>/services.txt
file.
1411
Deployment overview
Deploying the DV Web Service includes the following steps. Each step is described in
further detail in this chapter.
1 Review list of supported operating systems, Web servers, and Web browsers.
The Entrust Authority Administration Services Release Notes. The most recent
Release Notes are posted on Entrust Datacard TrustedCare.
2 Synchronize the application server and Security Manager Certification Authority
time setting (see “Synchronizing Administration Services and Security Manager
time settings” on page 1413).
3 Create an Entrust profile for the DV Web Service (see “Creating DV Web Service
credentials” on page 1414).
4 Check the settings in the entrust.ini file (see “Checking the entrust.ini file” on
page 1418).
5 If you plan to install the DV Web Service for distributing CSCA materials to
Inspection Systems, obtain files from the domestic CSCA that are required to
install the DV Web Service (see “Obtaining files from the domestic CSCA for the
DV Web Service” on page 1420).
6 The DV Web Service can obtain CSCA materials from the NPKD Web Service. If
the DV Web Service will obtain materials from the NPKD Web Service, obtain
files from the NPKD services that are required to install the DV Web Service (see
“Obtaining files from the National PKD for the DV Web Service” on page 1421).
7 Install the DV Web Service (see “Installing the DV Web Service” on page 1422).
8 If the Security Manager directory does not allow anonymous authentication, you
must configure authentication to the directory (see “Configuring DV Web
Service authentication to a directory without anonymous access” on page 1444).
Note:
Do not modify any other permissions for this role or the DV Web Service will fail
to process and send certificates and certificate requests.
To create a user entry for the DV Web Service profile using Security Manager
Administration
1 Log in to Security Manager Administration for the DVCA.
2 Select Users > New User.
The New User dialog box appears.
3 Click the Naming tab, and then complete the following:
a In the Type drop-down list, select a user type.
The type that you select determines which attribute fields appear. For
example, if you select Person, the First Name, Last Name, Serial Number,
and Email fields appear. If you select Web server, the Name and Description
fields appears.
b In the available attribute fields, enter the name that will become the common
name of the user entry. An asterisk (*) appears beside required fields. You
must enter information into all fields marked with asterisks.
c In the Add to drop-down list, select the searchbase where you want to add
the user entry (for example, select CA Domain Searchbase to add the user
entry to the default searchbase).
d Ensure that the Create profile check box is not checked.
This page lists all configured services (if any). Click Next to add a new service.
a In the SSL/TLS Port Number for DVWS field, enter the port number for the
DV Web service (by default 9443).
b Click Next.
a In the text field, enter the full path and file name of the entrust.ini file
from the Entrust CA that issued the DV Web Service profile, or click Choose
to locate the file.
b Click Next.
a In the Enter the location of the DVWS Profile field, click Choose to locate
and select the DV Web Service profile (EPF file).
b In the Enter the Password to login to your DVWS Profile field, enter the
password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the DV Web Service profile.
b In the Enter the Password to login to your DVWS Profile field, enter the
password for the profile.
c Click Next.
a In the text field, enter the full path and file name of the entrust.ini file
that you obtained from a National PKD administrator, or click Choose to
locate the file.
b Click Next.
a In the Enter the location of the DVWS NPKD Profile field, click Choose to
locate and select the NPKD Client profile (EPF file).
b In the Enter the Password to login to your DVWS NPKD Profile field, enter
the password for the EPF file.
c Click Next.
a From the Slot List From the PKCS11 Library list, select the hardware slot that
contains the NPKD Client profile.
b In the Enter the Password to login to your DVWS NPKD Profile field, enter
the password for the profile.
c Click Next.
a In the DVWS NPKD Client Web Service URL field, enter the URL of the
NPKD Web Service.
The URL for the NPKD Web Service is
https://<server>:<port>/npkd/services/NpkdServiceV1, where:
– <server> is the host name or IPv4 address of the server hosting the NPKD
Web Service.
– <port> is the SSL port for the NPKD Web Service (by default 24443). You
specified this port when you installed the PKD Writer Web Service.
For example:
https://npkd.example.com:24443/npkd/services/NpkdServiceV1
b In the Specify the Polling Interval in Minutes field, enter the frequency, in
minutes, that the DV Web Service will poll the NPKD Web Service for new
CSCA materials. The default frequency is 120 minutes (2 hours).
c Click Next.
a To enable email notification for the DV Web Service, select Enable Email
Notification for DVWS.
If you select this option, the email notification settings are enabled.
b If you chose to enable email notification for the DV Web Service:
– In the Enter the SMTP Server Fully Qualified Domain Name field, enter the
fully qualified domain name of the SMTP server.
– In the SMTP Server Port field, enter the port number used by the SMTP
server (by default 25).
– In the Enter the DVWS Administrator Email Address field, enter the email
address where administrators will receive email notification messages.
The DV Web Service sends messages to this address only if the event is not
meant for a particular object. For example, if a user performs an action that
requires an administrator’s approval, the DV Web Service sends the
message to this email address.
– In the Enter the DVWS Appears From Email Address field, enter the email
address that will appear in the email message’s From field of the email
message.
c Click Next.
a To use the service you just installed, you must restart the Administration
Services application server.
– To start the service automatically after exiting the installer, select Start the
service automatically. By default, this option is already selected.
– To not start the service after exiting the installer, deselect Start the service
automatically. You must manually restart Administration Services to use the
new service.
b Click Next.
24 If you installed the DV Web Service, and if the DV Web Service profile is stored
on a hardware token and you enabled CSCA material distribution:
a On a command line, navigate to the following folder:
<AS-install>\tools\csca-cert-update
b Enter the following command:
csca-cert-update <password> <certificate-file>
Where:
– <password> is the password of the hardware token that contains the DV
Web Service profile.
Configuring DV Administration
DV Administration is a Web-based interface for administering a Document Verifier.
DV administrators use DV Administration to manage DV certificates and certificate
requests, Inspection Systems, and Inspection System certificates and certificate
requests.
This chapter describes how to configure various components and features of DV
Administration. For more information about configuring Administration Services, see
the Administration Services Configuration Guide.
This chapter includes the following sections:
• “Configuring DV Administration logs” on page 1448
• “Configuring the CRL cache timeout” on page 1450
• “Configuring list operations in DV Administration” on page 1451
• “Configuring the date format for DV Administration” on page 1454
• “Configuring email notification for DV Administration” on page 1455
• “Configuring a jurisdiction policy” on page 1471
1447
Configuring DV Administration logs
Administration Services allows you to customize the log file settings for DV
Administration. You can configure the following log settings:
• the log file name and location
• the level of messages recorded in the file
• the maximum size the log file can reach before a new log file is created
• the number of old log files to retain
Setting Description
<Level> This setting controls the level of detail for the DV Administration logs.
The logging level can be one of (in increasing severity):
• TRACE
• DEBUG
• INFO
• WARNING
• ERROR
• ALERT
• FATAL
This sets the lowest level of message to show. For example, ERROR provides
messages of ERROR, ALERT and FATAL status.
Default: INFO
<Filename> This setting specifies the name (including path) of the log file.
Default:
<AS-install>\dvadmin\<instance>\logs\dv_<instance>.log
Setting Description
<Filesize> This setting controls the maximum size of a log file, in bytes.
Default: 1000000
Do not set the value to 0, or Apache Tomcat will fail to start.
<Backups> This setting controls the maximum number of log files to keep. After the last log
file reaches the maximum size, the first log file is overwritten.
Default: 10
Note:
You can set a maximum return limit for XAP searches in Security Manager. If a
maximum return limit is configured in Security Manager, the maximum return
limit at Security Manager takes precedence.
Setting Description
<DvCertificate> These settings control the search operations for DV certificates.
Setting Description
<MaxReturn> This setting specifies the maximum number of certificates to return
in a DV certificate list operation. If 0, DV Administration uses the
Security Manager default XAP return limit (default is 100).
Default: 1000
<IncludeExpired> This setting controls whether to include expired certificates in the
results.
Default: true
<DvCertificateRequest> These settings control the search operations for DV certificate
requests.
<MaxReturn> This setting specifies the maximum number of certificate requests
to return in a DV certificate request list operation. If 0, DV
Administration uses the Security Manager default XAP return limit
(default is 100).
Default: 1000
<CvcaEntity> These settings control the search operations for CVCAs.
<MaxReturn> This setting specifies the maximum number of CVCAs to return in
a CVCA list operation. If 0, DV Administration uses the Security
Manager default XAP return limit (default is 100).
Default: 1000
<CvcaCertificate> These settings control the search operations for CVCA certificates.
<MaxReturn> This setting specifies the maximum number of certificates to return
in a CVCA certificate list operation. If 0, DV Administration uses
the Security Manager default XAP return limit (default is 100).
Default: 1000
<IncludeExpired> This setting controls whether to include expired certificates in the
results.
Default: true
<IsEntity> These settings control the search operations for Inspection
Systems.
<MaxReturn> This setting specifies the maximum number of Inspection Systems
to return in an Inspection System list operation. If 0, DV
Administration uses the Security Manager default XAP return limit
(default is 100).
Default: 1000
Setting Description
<IsCertificate> These settings control the search operations for Inspection System
certificates.
<MaxReturn> This setting specifies the maximum number of certificates to return
in an Inspection System certificate list operation. If 0, DV
Administration uses the Security Manager default XAP return limit
(default is 100).
Default: 1000
<IncludeExpired> This setting controls whether to include expired certificates in the
results.
Default: true
Table 75: DV Administration account tasks, event IDs, and email message files
Setting Description
<ContentTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the message. See
“Modifying email notification subject and message text for DV
Administration” on page 1468 for details about editing this file.
Note: This is a system setting and should not be modified.
<FromTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses for
the RFC 822 From: and Reply-To: headers.
Note: This is a system setting and should not be modified.
Setting Description
<Id> Used to declare a unique identifier. This value must match an
identifier of a notification event that is sent by the
XAPNotificationHandler. It is the identifier that is used to
determine which email notification event should handle the
notification event.
Note: This is a system setting and should not be modified.
<RecipientTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses of
the recipients. The results of the transformation are a
<Recipients> element.
<SubjectTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the RFC 822 Subject:
header. The result of the transformation is a <Subject> element.
See “Modifying email notification subject and message text for
DV Administration” on page 1468 for details about editing this
file.
<AttachmentsTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the files sent in the email messages
as attachments. The results of the transformation are an
<Attachments> element.
<EmailNotificationEvent>
<ContentTemplate>dv-unauth-cert-req-create-approved-con
tent</ContentTemplate>
<FromTemplate>dv-admin-default-from</FromTemplate>
<Id>dv-unauth-cert-req-foreign-create-approved</Id>
<RecipientTemplate>queued-approved-customemail-recipien
ts</RecipientTemplate>
<SubjectTemplate>dv-cert-req-create-subject</SubjectTem
plate>
<AttachmentsTemplate>dv-cert-req-create-approved-attach
ments</AttachmentsTemplate>
</EmailNotificationEvent>
<EmailNotificationEvent>
<ContentTemplate>dv-cert-req-create-countersign-approve
d-content</ContentTemplate>
<FromTemplate>dv-admin-default-from</FromTemplate>
<Id>dv-unauth-cert-req-foreign-create-approved</Id>
<RecipientTemplate>queued-countersign-approved-customem
ail-recipients</RecipientTemplate>
<SubjectTemplate>dv-cert-req-create-countersign-subject
</SubjectTemplate>
<AttachmentsTemplate>dv-cert-req-create-approved-attach
ments</AttachmentsTemplate>
</EmailNotificationEvent>
c For each email notification event, you can configure the settings described in
Table 76 on page 1463.
5 Save and close the file.
If the file contains Unicode characters beyond 7-bit ASCII (Basic Latin), for
languages such as French or Japanese, save the file with UTF-8 encoding.
6 Restart Administration Services.
<EmailNotificationEvent>
<ContentTemplate>dv-cert-req-create-countersign-approve
d-content</ContentTemplate>
<FromTemplate>dv-admin-default-from</FromTemplate>
<Id>dv-unauth-cert-req-foreign-create-approved</Id>
<RecipientTemplate>queued-countersign-approved-customem
ail-recipients</RecipientTemplate>
<SubjectTemplate>dv-cert-req-create-countersign-subject
</SubjectTemplate>
<AttachmentsTemplate>dv-cert-req-create-approved-attach
ments</AttachmentsTemplate>
</EmailNotificationEvent>
b If required, remove the comment tags from the following
<EmailNotificationEvents> elements:
<EmailNotificationEvent>
<ContentTemplate>dv-unauth-cert-req-create-content</Con
tentTemplate>
<FromTemplate>dv-admin-default-from</FromTemplate>
<Id>dv-unauth-cert-req-foreign-create</Id>
<RecipientTemplate>cvca-entity-cert-customemail-recipien
ts</RecipientTemplate>
<SubjectTemplate>dv-cert-req-create-subject</SubjectTemp
late>
<AttachmentsTemplate>dv-cert-req-create-attachments</Att
achmentsTemplate>
</EmailNotificationEvent>
<EmailNotificationEvent>
<ContentTemplate>dv-unauth-cert-req-create-approved-con
Attention:
Only personnel with knowledge of XSLT should attempt to modify email
notification text. To compare your changes with the default versions of the XSL
files, see the <AS-install>\templates folder for the default files. Do not modify
any of the files in the templates folder.
Begin using your digital ID again at any time. If have lost your
digital ID or forgotten your password, please contact your LRA.
Note:
A CVCA with no jurisdictions assigned can administer any jurisdiction. Inspection
Systems that do not have a jurisdiction assigned can only be issued certificates
anchored by CVCAs that have no jurisdictions assigned.
You define jurisdictions in the Security Manager certificate specifications. For more
information about modifying certificate specifications, see the Security Manager
Administration User Guide.
You can only assign jurisdictions using DV Administration. You cannot assign
jurisdictions using the Security Manager Control Command Shell.
1475
Configuring DVCKM logs
Administration Services allows you to customize the log file settings for the DVCKM.
You can configure the following log settings:
• the log file name and location
• the level of messages recorded in the file
• the maximum size the log file can reach before a new log file is created
• the number of old log files to retain
Setting Description
<ContentTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the message. See
“Modifying email notification subject and message text for
DVCKM” on page 1484 for details about editing this file.
Note: This is a system setting and should not be modified.
<FromTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses for
the RFC 822 From: and Reply-To: headers.
Note: This is a system setting and should not be modified.
<Id> Used to declare a unique identifier. This value must match an
identifier of a notification event that is sent by the
XAPNotificationHandler. It is the identifier that is used to
determine which email notification event should handle the
notification event.
Note: This is a system setting and should not be modified.
<RecipientTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses of
the recipients. The results of the transformation are a
<Recipients> element.
<SubjectTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the RFC 822 Subject:
header. The result of the transformation is a <Subject> element.
See “Modifying email notification subject and message text for
DVCKM” on page 1484 for details about editing this file.
Setting Description
<AttachmentsTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the files sent in the email messages
as attachments. The results of the transformation are an
<Attachments> element.
Attention:
Only personnel with knowledge of XSLT should attempt to modify email
notification text. To compare your changes with the default versions of the XSL
files, see the <AS-install>\templates folder for the default files. Do not modify
any of the files in the templates folder.
Begin using your digital ID again at any time. If have lost your
digital ID or forgotten your password, please contact your LRA.
<xsl:call-template name="signature"/>
</xsl:template>
5 Save and close the file.
Setting Description
<Server> An instance setting that sets the Uniform Resource Locator (URL)
address for the XAP Server. The DVCKM sends requests to this
URL.
Note: This setting is defined during installation and should not be
changed.
Setting Description
<Connections> The initial number of connections that the DVCKM opens with
the XAP server when Administration Services starts. The number
of connections to the XAP server increases automatically up to
the maximum when the number of users concurrently using
Administration Services increases.
Default value: 2
<IdleTimeout> Specifies the length of time (in minutes) that the DVCKM allows
a connection with the XAP server to remain idle before closing it
and creating a new connection.
Default value: 30
1493
Configuring DV Web Service logs
Administration Services allows you to customize the log file settings for the DV Web
Service. You can configure the following log settings:
• the log file name and location
• the level of messages recorded in the file
• the maximum size the log file can reach before a new log file is created
• the number of old log files to retain
Setting Description
<Level> Sets the level of detail for the logs.
The logging level can be one of (in increasing severity) TRACE, DEBUG,
INFO, WARNING, ERROR, ALERT, or FATAL. This sets the lowest level of
message to show. For example, ERROR provides messages of ERROR,
ALERT and FATAL status.
Default: INFO
<FileName> Sets the name (including path) of the log file.
Default: <AS-install>\services\dvws\dvws\logs\dvws_dvws.log
<FileSize> Sets the maximum size of a log file, in bytes.
Default: 1000000
Do not set the value to 0, or Apache Tomcat will fail to start.
<Backups> Sets the maximum number of log files to keep. After the last log file
reaches the maximum size, the first log file is overwritten.
Default: 10
Table 83: DV Web Service account tasks, event IDs, and email message files
To enable or disable email notification for specific events for the DV Web
Service
1 Log in to the Administration Services server hosting the application server
components.
2 Open the configuration.global.xml file for the DV Web Service. You can find
the file in the following folder:
Setting Description
<ContentTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the message. See
“Modifying email notification subject and message text for the
DV Web Service” on page 1500 for details about editing this file.
Note: This is a system setting and should not be modified.
Setting Description
<FromTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses for
the RFC 822 From: and Reply-To: headers.
Note: This is a system setting and should not be modified.
<Id> Used to declare a unique identifier. This value must match an
identifier of a notification event that is sent by the
XAPNotificationHandler. It is the identifier that is used to
determine which email notification event should handle the
notification event.
Note: This is a system setting and should not be modified.
<RecipientTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the names and email addresses of
the recipients. The results of the transformation are a
<Recipients> element.
<SubjectTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the text of the RFC 822 Subject:
header. The result of the transformation is a <Subject> element.
See “Modifying email notification subject and message text for
the DV Web Service” on page 1500 for details about editing this
file.
<AttachmentsTemplate> Specifies the name of the XSLT file that is applied to the
notification event to produce the files sent in the email messages
as attachments. The results of the transformation are an
<Attachments> element.
Begin using your digital ID again at any time. If have lost your
digital ID or forgotten your password, please contact your LRA.
<xsl:call-template name="signature"/>
</xsl:template>
5 Save and close the file.
If the file contains Unicode characters beyond 7-bit ASCII (Basic Latin) for
languages such as French or Japanese, save the file with UTF-8 encoding.
6 Repeat this procedure for each event you want to modify.
Setting Description
<Server> An instance setting that sets the Uniform Resource Locator (URL)
address for the XAP Server. The DV Web Service sends requests
to this URL.
Note: This setting is defined during installation and should not be
changed.
Setting Description
<Connections> The initial number of connections that the DV Web Service opens
with the XAP server when Administration Services starts. The
number of connections to the XAP server increases automatically
up to the maximum when the number of users concurrently using
Administration Services increases.
Default value: 2
<IdleTimeout> Specifies the length of time (in minutes) that the DV Web Service
allows a connection with the XAP server to remain idle before
closing it and creating a new connection.
Default value: 30
To configure the XAP message signing algorithm for the DV Web Service
1 Log in to the Administration Services server hosting the application server
components.
2 Open the dvws-config.xml file in a text editor. You can find the file in the
following folder:
<AS-install>\services\dvws\dvws\webapp\WEB-INF\config
3 Locate the following setting:
<SigningDigestAlgorithm>sha1</SigningDigestAlgorithm>
4 Configure the value to sha1 or sha256.
5 Restart Administration Services.
Configuring how often the DV Web Service checks for new CSCA
materials
The DV Web Service will periodically check the incoming CSCA materials folder (see
“Configuring the incoming CSCA materials folder” on page 1508) for new CSCA
materials. By default, the DV Web Service checks every 10 minutes for new CSCA
materials.
You can configure how often the DV Web Service checks the incoming CSCA
materials folder for new CSCA materials. When the DV Web Service finds new CSCA
materials, it saves copies of the materials to the CSCA materials storage folder
(see“Configuring the CSCA materials storage folder” on page 1509).
To configure how often the DV Web Service checks for new CSCA materials
1 Log in to the Administration Services server hosting the application server
components.
2 Open the dvws-config.xml file. You can find the file in:
<AS-install>\services\dvws\dvws\webapp\WEB-INF\config
3 Locate the <CSCAMaterialDistribution> section. For example:
<CSCAMaterialDistribution>
<Enabled>false</Enabled>
<IncomingFolder>C:\Program Files\Entrust\AdminServices/
services/dvws/dvws/webapp/incoming-csca-materials</IncomingFolder>
<StorageFolder>C:\Program Files\Entrust\AdminServices/
services/dvws/dvws/webapp/csca-store</StorageFolder>
<MonitorThreadIntervalMinutes>10</MonitorThreadIntervalMinutes>
<RevocationCheckMaterials>true</RevocationCheckMaterials>
<FailIfNoCRL>false</FailIfNoCRL>
</CSCAMaterialDistribution>
To provide the latest domestic CSCA root certificate to the DV Web Service
1 Log in to the Administration Services server hosting the application server
components.
2 Obtain the latest domestic CSCA root certificate from your CSCA administrator.
3 On a command line, navigate to the following folder:
<AS-install>\tools\csca-cert-update
4 Enter the following command:
csca-cert-update <password> <certificate-file>
Where:
• <password> is the password for the DV Web Service profile. If the DV Web
Service profile is stored on hardware, then <password> is the password of the
hardware token.
• <certificate-file> is the path and file name of the CSCA certificate.
For example:
csca-cert-update Example@1234 "c:/csca-certificate.cer"
5 If you previously provided a domestic master list to the DV Web Service, delete
the stored master list from the following folder:
<AS-install>\services\dvws\dvws\webapp\csca-store\ml
The stored master list was signed by the previous CSCA certificate, and can no
longer be verified by the DV Web Service with the new CSCA certificate.
6 Provide any updated CSCA materials (such as a new master list signed by the
latest CSCA) to the DV Web Service. See “Providing CSCA materials to the DV
Web Service” on page 1514 for details.
7 Restart Administration Services.
Note:
This section only provides information about starting and stopping, logging in,
and logging out of Security Manager Control Command Shell. For more
information about getting started in Security Manager Control Command Shell
including important information about character encoding and using special
characters, see the Security Manager Operations Guide.
Note:
If you log in to Windows as a different Windows user, you cannot log in to
Security Manager Control Command Shell or run any commands.
2 Open the Security Manager Control Command Shell using one of the following
methods:
• Double-click the shortcut icon on the desktop.
• From the Start menu by clicking Start, then click the down arrow to access
Apps, then click Security Manager Control Command Shell.
When listed by name or category, Security Manager Control Command Shell
is listed under Entrust.
The Security Manager Control Command Shell window appears. The window
presents copyright information about Security Manager, information about
getting help in Security Manager Control Command Shell, and the default
Security Manager Control Command Shell prompt (entsh$).
3 At the prompt, enter:
login
4 If you are using hardware-based database protection (see the Security Manager
Operations Guide), Security Manager Control Command Shell prompts you for
the password of the hardware device:
A password is required to log into 'CAHdwareVendor01 SN :
99ERT-A7-00-1'.
Password:
Enter the password of the hardware device.
5 Security Manager Control Command Shell prompts you for your Master User
user name:
Master User Name:
Enter your Master User user name.
The predefined Master User names (Master1, Master2, and Master3) are
case-sensitive. Names of custom Master Users (see the Security Manager
Operations Guide) are not case-sensitive.
6 Security Manager Control Command Shell prompts you for your Master User
password:
Password:
Note:
If you include these commands in your startup script, you do not need to enter
them each time you log in to your server to run Security Manager Control
Command Shell.
Logging in to DV Administration
You are required to log in to the CVCA Administration interface with a certificate
stored in your Web browser (see “Creating DV administrators” on page 1373).
Note:
You can customize the DV Administration interface to reflect the corporate
identity of your company. For details, see “Customizing DV Administration” on
page 1633.
To test DV Administration
1 Open a Web browser.
2 Enter the following URL in your Web browser:
https://<host_name>:<port>/<instance>
Where:
• <host_name> is the fully qualified host name of the server hosting DV
Administration.
• <port> is the SSL port for DV Administration (by default 14443).
• <instance> is the URL path of the DV Administration instance. You specified
the URL path when you installed DV Administration. For example, the
default URL path for DV Administration is DVAdmin.
For example:
https://webserver.example.com:14443/DVAdmin
The login page appears.
Note:
The security dialog box may appear behind the browser window. Click the dialog
box’s window icon in the taskbar to bring the dialog box to the front.
Information bar
The information bar in the DV Administration interface displays the distinguished
name (DN) of the currently logged in administrator on the left. On the right, the
following links are available:
• About
Click About to view the version and legal information for the Entrust
Authority EAC systems.
• Help
Click Help on any page to view the Help documentation for that page. A link
to the help index is available on each Help page. A link to browser
requirements is available in the help index.
• locales (main page only)
Click a locale link to change the language used in the interface. By default,
DV Administration provides English and French locales.
Taskbar
The taskbar has links to the main task areas available to the currently logged-in
administrator. For example, if you are logged in as EAC Administrator, the Document
Verifier, Country Verifying CAs, Inspection Systems, Certificates, Queued
operations, and My Account tasks appear. The current task is emphasized by a white
background.
Action bar
The action bar has tabs that indicate subtasks or actions available for the particular
task. The current tab is emphasized in darker blue. The action bar displays the current
action within the task.
The bread crumb trail allows administrators to easily see where they are within a task
and navigate back to previous steps.
Tables
When administrators retrieve results, the results are displayed in a table.
Administrators can sort the results in the table:
• Click the column header link in a results table to sort the table by that
column.
To display the Document Verifier holder identity using the Security Manager
Control Command Shell
1 Log in to Security Manager Control Command Shell (see “Logging in to Security
Manager Control Command Shell” on page 1518).
2 At the prompt, enter:
dv identity
Security Manager displays the holder identity of the Document Verifier.
Parameter Description
-selfSvc yes | no Specifies whether the Document Verifier can use the DVCKM to
exchange certificates with all CVCAs. The DVCKM is a service
provided by Administration Services. If yes, The Document Verifier
can use the DVCKM. If no, the Document Verifier cannot use the
DVCKM.
If not specified, CVCAs cannot use the DVCKM. You can override
this setting for each CVCA when you add or modify a CVCA.
Parameter Description
<cvca identity> The holder identity of the CVCA. The holder identity must start with
the ISO 3166-1 ALPHA-2 country code, followed by a one to nine
ISO 8859-1 Latin-1 character label. For example, GBcvca.
Parameter Description
-selfSvc yes | no Specifies whether the Document Verifier can use the DVCKM to
exchange certificates with the CVCA. The DVCKM is a service
provided by Administration Services. If yes, The Document Verifier
can use the DVCKM. If no, the Document Verifier cannot use the
DVCKM.
If not specified, it defaults to the setting in the CVCA policy. See
“Configuring the CVCA policy” on page 1529 for information about
viewing and changing the CVCA policy.
Note:
The Document Verifier must have the root certificate of the CVCA installed if you
choose automatic key management.
4 To view information about a specific CVCA, click holder identity of the CVCA you
want to view.
The View Details page appears.
Parameter Description
-state enabled Finds CVCAs in the enabled state (-state enabled) or CVCAs in the
disabled state (-state disabled).
-state disabled
-selfSvc yes Finds CVCAs that can allow the Document Verifier to use the
DVCKM to exchange certificates with the CVCA (-selfSvc yes) or
-selfSvc no
CVCAs that require administrators to exchange certificates manually
(-selfSvc no).
Security Manager displays information about each CVCA that matches the criteria
you specified. For example:
Entity Category: CVCA
Holder Identity: CAcvca
Friendly Name: <unset>
Email Address: <unset>
Entity Status: Enabled
Internal Database Id: 2
Last Modified: 05/22/08 11:43:04
Added: 05/22/08 11:43:04
Custom Policy Settings (these override the global settings):
None configured. The global and software default settings will
be used.
Parameter Description
-reset Resets the existing custom CVCA policy settings to the CVCA policy
defaults.
Note: If you specify new custom policy settings, the new custom
settings replace the existing values.
-selfSvc yes | no Specifies whether the Document Verifier can use the DVCKM to
exchange certificates with the CVCA. The DVCKM is a service
provided by Administration Services. If yes, The Document Verifier
can use the DVCKM. If no, the Document Verifier cannot use the
DVCKM.
If not specified, it defaults to the setting in the CVCA policy. See
“Configuring the CVCA policy” on page 1529 for information about
viewing and changing the CVCA policy.
You have now modified a Country Verifying Certification Authority. The changes take
effect immediately.
3 Verify that you want to suspend the CVCA and then click Suspend.
A confirmation that the CVCA is suspended appears.
3 Verify that you want to activate the CVCA and then click Activate.
A confirmation that the CVCA is activated appears.
Note:
Administration Services cannot import files with file names longer than 3000
characters.
Note:
Validation strings are only required for the initial root CVCA certificate request.
The Document Verifier can cryptographically verify subsequent link CVCA
certificates.
Parameter Description
-root | -link Specifies whether the certificate is a root certificate (-root) or a link
certificate (-link).
A CVCA certificate is a root certificate if its holder reference and
authority reference are the same. Otherwise it is a link certificate.
Parameter Description
-root | -link Specifies whether the first certificate in the certificate chain is a root
certificate (-root) or a link certificate (-link). If not specified, -root
is assumed.
A CVCA certificate is a root certificate if its holder reference and
authority reference are the same. Otherwise, it is a link certificate.
Use the <trust point holder reference> parameter to identify
the CVCA certificate that starts the certificate chain. If you do not
specify the <trust point holder reference> parameter, this
option is ignored and the certificate chain starts with the initial root
CVCA certificate.
Parameter Description
<leaf holder reference> Specifies the holder reference of the CVCA certificate that ends the
CVCA certificate chain.
<trust point holder Specifies the holder reference of the CVCA certificate that starts the
reference> CVCA certificate chain.
If not specified, the [-root|-link] option is ignored and the initial
root CVCA certificate starts the certificate chain.
You have now exported the CVCA certificate chain. If you included a root CVCA
certificate in the chain, Security Manager displays validation strings.
For the validation strings, the "SHA1:" and "SHA256:" portions are not part of
the actual validation strings. The "SHA1:" and "SHA256:" portions only indicate
which validation string is the SHA1 string and which validation string is the
SHA256 string.
Send the CVCA certificates to the Inspection System using a secure method, such as
secure email or diplomatic courier. If you include a root CVCA certificate, it is strongly
recommended that you send the validation string separately to protect against
tampering.
Note:
You only need to specify the domestic CVCA if the domestic CVCA has a
different country code than your Document Verifier, or if more than one CVCA
uses the same country code as your Document Verifier.
If you change the warning threshold or domestic CVCA, it takes effect immediately.
If you change the sequence algorithm, it takes effect in the next Document Verifier
certificate request.
• “To configure the Document Verifier policy in Security Manager Control
Command Shell” on page 1559
• “To configure the Document Verifier policy in DV Administration” on
page 1561
Parameter Description
-warn <days> Specifies the number of days before the certificate expires when
Security Manager starts warning you of the impending expiry. A
value of 0 suppresses the warnings.
If you do not specify a warning threshold, it defaults to 14 days.
To change the frequency at which the messages are logged, edit the
EntDvCertExpiryCheckNotBefore,
EntDvCertExpiryCheckNotAfter and
EntDvCertExpiryCheckPeriod settings in the entmgr.ini file. By
default, warning messages are logged daily. For more information
about these settings, see the Security Manager Operations Guide.
Parameter Description
-super <value> Specifies the holder identity of the Document Verifier’s domestic
CVCA. You only need to specify a domestic CVCA if more than one
CVCA uses the same country code as your Document Verifier, or if
the domestic CVCA uses a different country code than your
Document Verifier.
If the CVCA holder identity does not exist, an error occurs and the
operation fails. To add a CVCA holder identity, see “Adding Country
Verifying Certification Authorities” on page 1530.
If you do not specify a CVCA holder identity, the domestic CVCA is
the CVCA with a country code that matches the country code of
your Document Verifier.
Attention: If more than one CVCA uses the same country code as
your DV or if the domestic CVCA uses a different country code,
some operations may fail if you do not specify the domestic CVCA
in the Document Verifier policy.
-softKey enabled | Controls whether software is permitted as a storage location for the
disabled DV keys. If enabled, you can store the DV keys in software. If
disabled, you can only store the DV keys on a hardware device.
If you do not specify a value, you can store the DV keys in software.
Attention:
If more than one CVCA uses the same country code as your DV or if the domestic
CVCA uses a different country code, some operations may fail if you do not
specify the domestic CVCA in the Document Verifier policy.
Note:
By default, the domestic CVCA has the same country code as your Document
Verifier. However, the domestic CVCA may have a different country code, or
more than one CVCA may use the same country code. If more than one CVCA
uses the same country code as your Document, or if no CVCA uses the same
country code as your Document Verifier, ensure that you set the domestic CVCA
by modifying the Document Verifier policy (see“Configuring the Document
Verifier policy” on page 1559).
The following topics describe how to create, list, view, cancel, and export DV
certificate requests:
• “Creating DV certificate requests” on page 1565
• “Viewing DV certificate requests” on page 1571
• “Canceling DV certificate requests” on page 1573
• “Exporting DV certificate requests” on page 1575
Parameter Description
Parameter Description
<ouputFile> The file name of the file where Security Manager writes the
Document Verifier certificate request.
<cvca identity> The holder identity of the CVCA that will issue the DV certificate.
Security Manager prompts you to select a destination for the new DV keys. For
example:
Select the destination for the new DV key
Choose one of:
1. Software
2. CAHdwareVendor01 SN: 99ERT-A7-00-1 SLOT: 897756
3. CAHdwareVendor02 SN: REM77Z28X SLOT: 1000000029
4. Cancel operation
4 Enter the number associated with the device or action you want to select. For
example, from the previous example, enter 3 to select CAHdwareVendor02, or 4
to cancel the update operation.
5 If you chose to generate your DV keys on a hardware security module (HSM) and
the HSM requires a password, Security Manager prompts you for the hardware
password. Enter the password for the hardware device.
If the certificate request is an unauthenticated certificate request, Security Manager
displays validation strings. The certificate request is unauthenticated if it is the first
certificate request for a CVCA or you specified the -allow unauthenticated
parameter.
For the validation strings, the "SHA1:" and "SHA256:" portions are not part of the
actual validation strings. The "SHA1:" and "SHA256:" portions only indicate which
validation string is the SHA1 string and which validation string is the SHA256 string.
If Security Manager fails to write the DV certificate request to the local file system,
Security Manager displays an error and you must use the dv certreq export
command (see “Exporting DV certificate requests” on page 1575).
If Security Manager successfully exported the DV certificate request to a file, send the
DV certificate request to the CVCA administrator using a secure method, such as
secure email or diplomatic courier. If you created an unauthenticated certificate
request, it is strongly recommended that you send the certificate request and
validation strings separately to avoid undetectable tampering.
For the validation strings, the "SHA1:" and "SHA256:" portions are not part of
the actual validation strings. The "SHA1:" and "SHA256:" portions only indicate
which validation string is the SHA1 string and which validation string is the
SHA256 string.
6 Click Export.
The File Download dialog box appears.
7 Save the request.
Parameter Description
<ouputFile> The file name of the file where Security Manager writes the
Document Verifier certificate request.
Note:
By default, the domestic CVCA has the same country code as your Document
Verifier. However, the domestic CVCA may have a different country code, or
more than one CVCA may use the same country code. If more than one CVCA
uses the same country code as your Document, or if no CVCA uses the same
country code as your Document Verifier, ensure that you set the domestic CVCA
by modifying the Document Verifier policy (see “Configuring the Document
Verifier policy” on page 1559).
The following topics describe how to import, list, view, and export DV certificates:
• “Importing DV certificates” on page 1578
• “Viewing DV certificates” on page 1581
• “Exporting DV certificates” on page 1585
Importing DV certificates
After you send a DV certificate request to a CVCA administrator and the CVCA
administrator sends you a DV certificate in return, import the DV certificate.
Note:
Administration Services cannot import files with file names longer than 3000
characters.
4 Click Browse to select the file containing the Document Verifier certificate.
5 Click Submit.
The View Certificate page appears.
You have now imported the DV certificate. After importing the DV certificate, inform
Inspection System administrators that you imported a new DV certificate and then
send them the latest DV certificate. See “Exporting DV certificates” on page 1585 for
details about exporting DV certificates.
Viewing DV certificates
You can display a list of Document Verifier certificates and you can view a specific
Document Verifier certificate. Typically, you list or view Document Verifier certificates
to determine which certificates you want to export (see “Exporting DV certificates”
on page 1585), or to determine if the latest Document Verifier certificates are nearing
expiry and you need to request a new Document Verifier certificate (see “Creating
DV certificate requests” on page 1565).
• “To view DV certificates in Security Manager Control Command Shell” on
page 1581
• “To view DV certificates in DV Administration” on page 1583
Note:
DV certificates do not contains elliptic curve domain parameters. When
displaying the key type for elliptic curves, Security Manager will display the
elliptic curve size. For example, if the key type is EC-ansix9p256r1, Security
Manager will display EC-256 as the key type.
Exporting DV certificates
You must export Document Verifier certificates so you can give distribute them to
Inspection Systems, enabling the Inspection System to assemble a certificate chain
that an e-passport can read.
You can export a single Document Verifier certificate, or you can export a certificate
chain.
Parameter Description
<ouputFile> The file name of the file where Security Manager writes the
Document Verifier certificate.
Parameter Description
-root | -link Specifies whether the first certificate in the certificate chain is a root
certificate (-root) or a link certificate (-link). If not specified, -root
is assumed.
A CVCA certificate is a root certificate if its holder reference and
authority reference are the same. Otherwise, it is a link certificate.
Use the <trust point holder reference> parameter to identify
the CVCA certificate that starts the certificate chain. If you do not
specify the <trust point holder reference> parameter, this
option is ignored and the certificate chain starts with the initial root
CVCA certificate.
<leaf holder reference> Specifies the holder reference of the Document Verifier certificate
that ends the certificate chain.
<leaf authority Specifies the authority reference of the Document Verifier certificate
reference> that ends the certificate chain.
<trust point holder Specifies the holder reference of the CVCA certificate that starts the
reference> CVCA certificate chain.
If not specified, the [-root|-link] option is ignored and the initial
root CVCA certificate starts the certificate chain.
You have now exported the DV certificate chain. If you included a root CVCA
certificate in the chain, Security Manager displays validation strings.
For the validation strings, the "SHA1:" and "SHA256:" portions are not part of the
actual validation strings. The "SHA1:" and "SHA256:" portions only indicate which
validation string is the SHA1 string and which validation string is the SHA256 string.
3 Click Export.
The File Download dialog box appears.
4 Click Save.
The Save As dialog box appears.
5 Choose a file name and location to save the file, and then click Save.
You successfully exported the certificate to your system.
Parameter Description
-ar F | I | FI | "" Specifies the holder access rights (the biometric information
Inspection Systems can access):
• F (fingerprint only)
• I (iris only)
• FI (fingerprint and iris)
• "" (none)
If you do not specify holder access rights, it defaults to fingerprint.
Note: The access rights for an Inspection System cannot exceed the
access rights held by the Document Verifier. If you specify access
rights for an Inspection System that the issuing Document Verifier
does not hold, the Document Verifier will not add those access rights
when issuing a certificate to the Inspection System.
-lifetime years | months Specifies the lifetime of Inspection System certificates in years,
| weeks | days <value> months, weeks, or days. Must be between one day and 25 years.
If you do not specify a lifetime, it defaults to one month.
Note: Inspection System certificates cannot exceed the lifetime of
the issuing Document Verifier certificate. When issuing an Inspection
System certificate, the Document Verifier will truncate the lifetime of
the Inspection System certificate if it is set to exceed the lifetime of
the Document Verifier certificate.
-crOpts xstream | none Specifies whether the Document Verifier can accept foreign
certificate requests signed by the domestic certificate stream
(xstream), or not (none).
If not specified, the default is xstream.
See “Certificate streams” on page 85 for information about
certificate streams.
4 To change the read access rights (the biometric information Inspection Systems
can access), choose one of the following options:
• Allow Fingerprint
• Allow Iris
• Allow Fingerprint and Iris
• No Access Rights
The access rights for an Inspection System cannot exceed the access rights held
by the Document Verifier. DV Administration will display only the access rights
that you can set for the Inspection System that will not exceed the access rights
held by the Document Verifier.
5 To set the default lifetime of Inspection System certificates (in years, months,
weeks, or days), enter a lifetime in the Certificate Lifetime Frequency text field
and drop-down list.
Enter a lifetime between one day and 25 years.
Inspection System certificates cannot exceed the lifetime of the issuing
Document Verifier certificate. When issuing an Inspection System certificate, the
Document Verifier will truncate the lifetime of the Inspection System certificate if
it is set to exceed the lifetime of the Document Verifier certificate.
Parameter Description
<is identity> The holder identity of the Inspection System. The holder identity
must start with the ISO 3166-1 ALPHA-2 country code, followed by
a one to nine ISO 8859-1 Latin-1 character label. For example,
GBinspect.
The country code must match the country code of your Document
Verifier, otherwise Security Manager returns an error.
-ar F | I | FI | "" Specifies the custom holder access rights for the Inspection System:
• F (fingerprint only)
• I (iris only)
• FI (fingerprint and iris)
• "" (none)
If you do not specify custom holder access rights, it defaults to the
setting in the Inspection System policy (see “Configuring Inspection
System policy” on page 1590).
Note: The access rights for an Inspection System cannot exceed the
access rights held by the Document Verifier. If you specify access
rights for an Inspection System that the issuing Document Verifier
does not hold, the Document Verifier will not add those access rights
when issuing a certificate to the Inspection System.
-lifetime years | months Specifies a custom lifetime for the Inspection System certificates in
| weeks | days <value> years, months, weeks, or days. Must be between one day and 25
years.
If you do not specify custom holder access rights, it defaults to the
setting in the Inspection System policy (see “Configuring Inspection
System policy” on page 1590).
Note: Inspection System certificates cannot exceed the lifetime of
the issuing Document Verifier certificate. When issuing an Inspection
System certificate, the Document Verifier will truncate the lifetime of
the Inspection System certificate if it is set to exceed the lifetime of
the Document Verifier certificate.
4 In the Holder Identity field, enter the holder identity of the Inspection System.
The identity must begin with an ISO 3166-1 ALPHA-2 country code consisting
of two uppercase alphabetic characters, followed by a maximum of nine Latin-1
characters.
5 (Optional.) In the Friendly Name field, enter a descriptive string to identify the
Inspection System.
6 (Optional.) In the E-mail address field, enter an email address associated with the
contact person for the Inspection System.
7 For Read Access Rights, specify the read access rights (the biometric information
Inspection Systems can access) as follows:
• To use the default read access rights, click Use Global Default Value.
Note:
If the number of returned results is greater than the value in the Maximum
Results drop-down list, a warning appears to inform you that there are more
search results available than the maximum returned. Select a higher value in the
Maximum Results field and re-enter your search to display more results.
7 Click Submit to find all Inspection Systems that meet your search criteria.
8 To view a specific Inspection System, click the holder identity of the Inspection
System.
Parameter Description
-state enabled Finds Inspection Systems in the enabled state (-state enabled) or
Inspection Systems in the disabled state (-state disabled).
-state disabled
Parameter Description
-ar <value> Finds Inspection Systems with specific holder access rights, where
<value> is one of:
• F (fingerprint only)
• I (iris only)
• FI (fingerprint and iris)
• "" (none)
-lifetime years | months Finds Inspection Systems with a specific certificate lifetime in years,
| weeks | days <value> months, weeks, or days. Must be between one day and 25 years.
Security Manager displays information about each Inspection System that matches
the criteria you specified. For example:
Entity Category: IS
Holder Identity: CAis
Friendly Name: <unset>
Email Address: <unset>
Entity Status: Enabled
Internal Database Id: 3
Last Modified: 05/22/08 11:43:04
Added: 05/22/08 11:43:04
Custom Policy Settings (these override the global settings):
None configured. The global and software default settings will
be used.
Parameter Description
-ar F | I | FI | "" Specifies the custom holder access rights for the Inspection System:
• F (fingerprint only)
• I (iris only)
• FI (fingerprint and iris)
• "" (none)
If you do not specify custom holder access rights, it defaults to the
Inspection System policy default. See “Configuring Inspection
System policy” on page 1590 for information about viewing and
changing the Inspection System policy.
Note: The access rights for an Inspection System cannot exceed the
access rights held by the issuing Document Verifier. If you specify
access rights for an Inspection System that the issuing Document
Verifier does not hold, the Document Verifier will not add those
access rights when issuing a certificate to the Inspection System.
Parameter Description
-lifetime years | months Specifies a custom lifetime for the Inspection System certificates in
| weeks | days <value> years, months, weeks, or days. Must be between one day and 25
years.
If you do not specify a custom certificate lifetime, it defaults to the
Inspection System policy default. See “Configuring Inspection
System policy” on page 1590 for information about viewing and
changing the Inspection System policy.
Note: Inspection System certificates cannot exceed the lifetime of
the issuing Document Verifier certificate. When issuing an Inspection
System certificate, the Document Verifier will truncate the lifetime of
the Inspection System certificate if it is set to exceed the lifetime of
the Document Verifier certificate.
You have now modified an Inspection System. The changes take effect after you
process the next certificate request from the Inspection System (see “Processing
Inspection System certificate requests” on page 1614).
3 Verify that you want to suspend the Inspection System and then click Suspend.
A confirmation that the Inspection System was successfully suspended appears.
3 Verify that you want to activate the Inspection System and then click Activate.
A confirmation that the Inspection System was successfully activated appears.
3 Verify that you want to delete the Inspection System and then click Delete.
You are asked to confirm that you want to permanently delete the Inspection
System.
4 Click OK to confirm and delete the Inspection System.
Parameter Description
Parameter Description
<input file> The file name of the Inspection System certificate request file.
<cvca identity> The holder identity of the CVCA for the target certificate stream.
You must include this parameter if the Inspection System certificate
request does not include a target certificate stream.
Note:
You cannot process a certificate request from an Inspection System that has not
been added to the DV. You must add the Inspection System to the DV before
importing the certificate.
Parameter Description
-valStrAuth Allows you to enter the validation string of the Inspection System
<validationString> certificate request.
You only need to specify this parameter for unauthenticated
certificate requests.
The validation string you received may include "SHA1:" or
"SHA256:" at the beginning of the string. Do not include "SHA1:"
or "SHA256:" when entering the validation string. The "SHA1:" or
"SHA256:" portion only indicates if the validation string is a SHA1
string or a SHA256 string, and is not an actual part of the validation
string.
<inputFile> The file name of the file containing the Inspection System certificate
request.
<ouputFile> The file name of the file where Security Manager writes the
Inspection System certificate.
Parameter Description
<cvca identity> The holder identity of the CVCA for the target certificate stream. You
must include this parameter if the Inspection System certificate
request does not identify the target certificate stream.
If you configured the Inspection System policy to reject foreign
certificate requests signed by the domestic certificate stream (see
“Configuring Inspection System policy” on page 1590), then the
Document Verifier rejects the certificate request’s signature.
Security Manager displays the Inspection System certificate and exports it to the
output file that you specified. If Security Manager fails to write the Inspection
System certificate to the local file system, Security Manager displays an error, and
you must use the dv is cert export command (see “Exporting Inspection
System certificates” on page 1622.)
4 Click Browse to locate the file containing the certificate request. The certificate
must be in DER format.
Note:
Validation strings are only required for self-signed certificate requests since these
certificate request do not have built-in trust. This includes root certificates and
unauthenticated certificate requests. Link certificates and authenticated
certificates have built-in trust since they are signed by a trusted key.
8 if more than one CVCA uses the same country code, enter the CVCA identity of
the target certificate stream into the CVCA identity field.
9 Click Accept to import the certificate request.
A confirmation that the certificate request imported successfully and that the
certificate was issued appears.
Note:
Inspection System certificates do not contains elliptic curve domain parameters.
When displaying the key type for elliptic curves, Security Manager will display the
elliptic curve size. For example, if the key type is EC-ansix9p256r1, Security
Manager will display EC-256 as the key type.
CV Certificate:
Certificate Body:
Profile Identifier: 0
Authority Reference: CAdvCA001
Public Key: EC Public Key (CV format)
OID: id-TA-ECDSA-SHA-256 (0.4.0.127.0.7.2.2.2.2.3)
Key Type: EC-256
Public Point: 046FE879AD5167249E91253BF833B9A14F808D2A436A7EB96
C27B2B3DC5740238F06822A278C288DA1BE005E8381AD3A2D
630937F9DFB2734F0C2F30D15F34EAD6
Holder Reference: CAis1CA001
Holder Authorization: ePassport Terminal Authentication
OID: id-EAC-ePassport (0.4.0.127.0.7.3.1.2.1)
Discretionary Data: 01
Role: IS
Access Rights: Fingerprint only
Effective Date: July 09, 2012 GMT (120709)
Expiration Date: August 09, 2012 GMT (120809)
Signature: FC8A7DC72353E0D0466C15A87C2C1EE2CAA23FC3B14B8FD60
8FF4F5598F9C135DC7EE07F07845A9BF0A4D7801CF59E9105
4556C6B1050BB7C73E14A90D600082
Note:
Inspection System certificates do not contain elliptic curve domain parameters.
When displaying the key type for elliptic curves, Security Manager will display the
elliptic curve size. For example, if the key type is EC-ansix9p256r1, Security
Manager will display EC-256 as the key type.
Parameter Description
<ouputFile> The file name of the file where Security Manager writes the
Inspection System certificate.
Parameter Description
-root | -link Specifies whether the first certificate in the certificate chain is a root
certificate (-root) or a link certificate (-link). If not specified, -root
is assumed.
A CVCA certificate is a root certificate if its holder reference and
authority reference are the same. Otherwise, it is a link certificate.
Use the <trust point holder reference> parameter to identify
the CVCA certificate that starts the certificate chain. If you do not
specify the <trust point holder reference> parameter, this
option is ignored and the certificate chain starts with the initial root
CVCA certificate.
<leaf holder reference> Specifies the holder reference of the Inspection System certificate
that ends the certificate chain.
<leaf authority Specifies the authority reference of the Inspection System certificate
reference> that ends the certificate chain.
<trust point holder Specifies the holder reference of the CVCA certificate that starts the
reference> CVCA certificate chain.
If not specified, the [-root|-link] option is ignored and the initial
root CVCA certificate starts the certificate chain.
You have now exported the Inspection System certificate chain. If you included a root
CVCA certificate in the chain, Security Manager displays validation strings.
For the validation strings, the "SHA1:" and "SHA256:" portions are not part of the
actual validation strings. The "SHA1:" and "SHA256:" portions only indicate which
validation string is the SHA1 string and which validation string is the SHA256 string.
3 In the Inspection System Certificates list, click the holder reference of the
Inspection System certificate that you want to export.
4 Click Export.
A File Download dialog box appears.
5 Click Save.
The Save As dialog box appears.
6 Choose a file name and location to save the file, and then click Save.
You successfully exported the file containing the Inspection System certificate to
your system.
Only operations that you can approve or cancel are displayed in this pane.
• Approve adds an approval to the operation. If this completes the number of
approvals required, the operation proceeds.
• Cancel changes the status of the request to canceled. You must supply a
reason for canceling the request. The request will remain in the queue with
its new status.
• Cancel and Delete cancels the request and deletes it from the queue.
4 Set the search options to return the results that you require. For example, All
queued operations that I can approve or all queued operations submitted on a
particular date. Use the options in combination create the list of search results
that fits your needs.
5 Click Submit.
Customizing DV Administration
Entrust Authority Administration Services allows you to customize DV Administration.
By making changes to specific files, you can customize DV Administration to match
your organization’s corporate identity.
This chapter contains the following sections:
• “Customizing the DV Administration interface” on page 1634
• “Customizing the online help for DV Administration” on page 1638
• “Customizing DV Administration styles” on page 1643
• “Adding a custom notification service” on page 1644
1633
Customizing the DV Administration interface
When customizing the DV Administration interface, you can make several changes
to reflect the corporate identity of your company. This section provides you with
details about how to apply those changes.
Note:
Any changes you make may require you to complete manual tasks when you
upgrade to the next version of Administration Services. It is recommended that
you keep track of the changes you make.
commonpage.css Defines the styles for elements common to all pages in the
interface, such as the title bar.
style.css Loads all the CSS files except the help.css file.
Only someone with a good knowledge of CSS should edit the CSS files. When editing
the CSS files, take care not to make any changes that can break the DV
Administration interface. Always back up a file before making any edits to the file.
Localizing DV Administration
DV Administration includes the default locale en_US. The DV Administration file
system allows you to add more than one locale folder for each DV Administration
instance. This chapter describes how to add a new locale to DV Administration.
The preferred language setting in your browser determines the initial locale (the
locale you first access the DV Administration interface). Links to all other installed
locales appear in the navigation bar of the DV Administration interface login page.
When you switch to a new locale, the Language Preference browser setting no longer
applies. You can specify more than one preferred language in your browser settings,
but only the first one in the list is applied. If your browser's default language is your
localized language, the localized page appears with a link to the English page. If the
browser preferred language is not installed, DV Administration always uses the
default locale en_US.
Note:
Do not remove en_US as it is the default locale.
1645
Localization overview
Localization is the process of modifying or adapting a software application to fit the
requirements of a particular locale. Localization includes translating application text
to conform with a specific locale, and it might also include modifying the date, time,
and currency formats.
About locales
A locale is specific geographic, political, or cultural region. Locales are generally
specified using a language code combined with a country code.
Language codes are two-letter codes defined by ISO 639 Code for the representation
of the names of languages. By convention, language codes are shown in lower case.
Some common examples include:
• en—English
• fr—French
• ja—Japanese
• ko—Korean
• zh—simplified and traditional Chinese
Country codes are two-letter codes defined by ISO 3166 Country Codes. By
convention, country codes appear in upper case. Some common examples include:
• CA—Canada
• US—United States
• GB—United Kingdom (Great Britain)
• JP—Japan
• CN—China
Defining locales
Locales are generally specified using a combination of a language code and a country
code. The most common interpretation of this standard is the two-letter language
code followed by the two-letter country code, for example:
• fr_CA—French (Canada)
• en_US—English (United States)
• en_GB—English (United Kingdom)
• ja_JP—Japanese (Japan)
Note:
If your browser's default language is your localized language, the localized page
will appear with a link to the English page.
Security classes
3 Commands with no key icon are non-harmful commands not
requiring access to the database. Require no authorization.
2 Non-harmful commands. Autologin must be enabled or you must be
logged in to an active Security Manager Control Command Shell
session.
1 Commands requiring access to the database but not causing
irreversible change. You must be logged in to an active Security
Manager Control Command Shell session.
0 Commands causing a policy change or update that may be
irreversible. Requires one additional Master User password if policy
has been set to require multiple authorizations.
1655
Table 108: dv commands
This section provides additional information about the Entrust ePassport Solution.
This section includes the following appendices:
• “Assurance policy tests performed on CSCA materials” on page 1671
• “Verifying the integrity of secure audit logs” on page 1675
• “Extended Access Control audit logs” on page 1677
• “Credentials for Administration Services” on page 1687
• “Glossary” on page 1701
1669
1670 Entrust® ePassport 3.00 Solutions Guide Document issue: 5.0
Report any errors or omissions
58
1671
Table 109: Assurance policy tests performed on CSCA materials (continued)
CRL Expired
CRL Version 2
Cryptographic Validation
1675
• <audit-file> is the full path and file name of the secure audit log, without
the audit file sequence number appended to the file name.
Administration Services will append a sequence number to the file name,
such as pkdwriter_audit.log.0001. Do not include the sequence number
when specifying the file name.
• <entrust.ini> is an entrust.ini file from the Certification Authority (CA)
that issued the server profile.
• <profile-name> is the full path and file name of the server profile.
• <ual-file> is the full path and file name of the UAL file (Server Login
credentials for the server profile). If not specified, you must enter the profile
password when prompted.
For example:
checkaudit.bat "C:/Program Files/Entrust/AdminServices/services/pk
dwriter/pkdwriter/logs/pkdwriter_audit.log" "C:/entrust.ini"
"C:/PKD Writer Server.epf" "C:/PKD Writer Server.ual"
4 If you did not specify the path and file name of the UAL file, you are prompted
to provide the profile password:
Enter your profile password:
Enter the profile password.
The secure audit check utility verifies the integrity of the security audit log.
If an error occurs verifying the integrity on an audit, an error similar to the following
will be displayed:
Error parsing audits: org.xml.sax.SAXException: MAC on entry
failed
Note:
If your organization has customized the severity rating of any of the audit
records, the severity rating that appears in the table below may not match the
severity rating that appears in the audit published in third-party application files.
For details, see the Security Manager Operations Guide.
1677
Table 110: Security Manager audit logs related to Extended Access Control
1687
Credentials for the PKD Writer services
This section lists the required and optional credentials for the PKD Writer services
provided by Administration Services.
DV administrator certificate
Required to install Administration Services: No.
Issuing CA: DVCA.
Role: EAC Administrator, EAC Auditor, or a custom role.
The predefined EAC Administrator role allows administrators to perform all
operations for a CVCA or DV. The predefined EAC Auditor role allows administrators
only to view information for a CVCA or a DV. You can create custom roles for your
administrators that control which operations an administrator can perform for a
CVCA or DV.
Certificate type: (Enterprise) Default.
SubjectAltName: None.
DVCKM profile
Required to install Administration Services: Yes.
Issuing CA: DVCA.
Role: EAC DV CKM Administrator.
Certificate type: Admin Services User Registration.
SubjectAltName: None.
See “Creating DVCKM credentials” on page 1382 for details.
Glossary
Term Definition
activation codes When an Entrust PKI administrator adds a user to Security Manager, a
reference number and authorization code are generated. Together, the
reference number and authorization code are called activation codes. You
can use the activation codes to create an Entrust profile.
ASN.1 Abstract Syntax Notation One. A language that enables different
communication systems to exchange data.
authentication The process of proving your identity. In a Security Manager system,
authentication works through a password-protected encrypted file, called a
digital ID.
authorization A code (for example, CMTJ-8VOR-VFNS), obtained from an Entrust PKI
code administrator. It is required along with its corresponding reference number
to create a new Entrust profile or to recover an existing profile. An
authorization code and its corresponding reference number are called
activation codes. Authorization codes can only be used once.
BAC See Basic Access Control.
Basic Access The mechanism used to ensure the integrity and authenticity of MRTD chips
Control and to prevent eavesdropping on the communication between the MRTD
and the Inspection System.
CA See Certification Authority.
1701
Term Definition
certificate A certificate is a collection of publicly available information about an entity
that is signed by a Certification Authority.
The type of information contained in a certificate depends on the type of
certificate. For example, a user’s public key certificate contains the user’s
distinguished name, a unique serial number, the user’s encryption or
verification public key, and the date the key will expire. The CA’s signature,
which appears on all certificates, ensures the integrity of this information.
Other types of certificates include policy certificates, cross-certificates,
certificate revocation lists, and authority revocation lists.
certificate Signed certificate containing the serial numbers of public key certificates
revocation list that were revoked, and a reason for each revocation.
Verification Server accesses this information from the directory to check the
trustworthiness of certificates it receives.
certificate request A file generated by an application (such as a Web server) that contains
information another application uses (such as Security Manager) to create a
certificate required by the application.
certificate signing See certificate request.
request
certificate stream The set of all certificates issued to an EAC entity that are anchored by a
particular Country Verifying Certification Authority.
Certification The part of Security Manager that ensures the trustworthiness of users’
Authority electronic identities. The Certification Authority (CA) issues electronic
identities in the form of public key certificates, and signs the certificates with
its signing key, which ensures the integrity of the electronic identity.
All other types of certificates are issued and signed by the CA as well, such
as policy certificates, cross-certificates, certificate revocation lists (CRLs),
and authority revocation lists (ARLs).
client application An application running that receives information from a server application
and requests a service provided by the server application. For example,
Administration Services is a client application of Security Manager.
CMS See Cryptographic Message Syntax.
countersigning When a Country Verifying Certification Authority signs a Document Verifier
certificate request intended for a foreign CVCA.
Country Signing The root of trust for e-passports issued within its own country. The CSCA
Certification issues certificates to one or more Document Signers.
Authority
Glossary 1703
Report any errors or omissions
Term Definition
Elementary File Contains the Document Security Object, which contains the Logical Data
Document Structure Security Object. It is represented as an Elementary File. This is used
Security Object by the vendor to wrap the data before it is placed on the MRTD.
encrypt To encrypt a file is to render the file completely unreadable. This means no
one, including the owner of the file, can read the file’s contents until it is
decrypted. Only the owner and the authorized recipients can decrypt the
file. The owner determines authorized recipients.
Entrust PKI An administrative user who uses Security Manager Administration to add
administrator users to Security Manager and to do other frequent operations such as
deactivate users, revoke users’ keys, set up users for key recovery, and create
new encryption key pairs for users.
Entrust profile A set of user credentials that an Entrust client application creates and
manages. It is stored in a proprietary Entrust profile format and is the
cornerstone of the user identity within the Entrust PKI. The Entrust profile—
among other important data—may contain: the user’s distinguished name,
decryption private keys, signing keys, and the CA certificate.
Extended Access The mechanism used to unlock the biometric data stored in the e-passport
Control chip. It ensures that only authorized entities can access the biometric data.
hardware token See hardware security module.
hash value A unique string (for example, a series of numbers) that is applied to a unique
piece of data, such as a document. If even so much as a single letter in the
document is altered, the hash produces a completely different value when
applied again to the document.
hardware security A physical external device, such as a hardware token, that secures
module cryptographic and sensitive data material. For information about security
hardware support and Entrust products, see the Entrust Datacard
TrustedCare Web site.
holder identity A two-character country code (such as GB for the United Kingdom, or US
for the United States of America), followed by a character string—called a
mnemonic—of one to nine characters. For example, GBcountry or USairport
are examples of a holder identity.
HSM See hardware security module.
IETF Internet Engineering Task Force
Inspection System An application that validates e-passports and accesses their biometric data.
LDS See Logical Data Structure.
Logical Data A standardized organization of data recorded to an MRTD.
Structure
Glossary 1705
Report any errors or omissions
Term Definition
servlet A small program that runs on a server.
signing private The key that encrypts a hash value that is decrypted with the corresponding
key verification public key
SOAP Simple Object Access Protocol. SOAP provides a way for programs running
in different languages (such as Java and C#) to exchange information, using
HTTP and XML.
SOD See Document Security Object.
SOLDS See Logical Data Structure Security Object.
UAL file Server Login credential file.
.ual file
user Any entry in the Security Manager database or directory. Users can be actual
end users or Entrust PKI administrators in your organization, or non-human
entries such as Web servers or Security Manager client applications.
validation string A string of alphanumeric characters representing the hash of a certificate or
certificate request. Validation strings allow administrators to verify the
authenticity of a certificate or certificate request.
verification public The public key portion of a signing key pair used to verify data signed by the
key corresponding signing private key. The verification public key is stored in a
certificate called the verification public key certificate. This certificate is
digitally signed by the Certification Authority to verify that the public key
within it is the authentic public key of the identified entity.
Web service There are many different definitions of a Web service. In this document, a
Web service is a program that runs within an application server that
communicates with other requesting components using the SOAP protocol.
Web services have the following advantages:
• The SOAP protocol provides a standard way for the Web service and its
client application to encode and decode (or parse) the object code so
that programmers do not have to write their own. The standard also
means that programs written by different companies can communicate
with the Web service.
• SOAP envelopes are sent within HTTP requests so you do not have to
open additional ports in your firewall for clients to communicate with the
Web service.
WSDL Web Services Description Language
X.509 A standard digital certificate format.
XML Extensible Markup Language. A W3C specification for structured data. Also
one of the signature types produced by the Digital Signature Service.
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
A DV 1517
master lists 797
accessing NPKD services 571
Verification Server 275 PKD Writer services 373
activating SPOC 1223
DVs 1079 Administration Services
foreign CVCAs 1037 administering NPKD services 571
Inspection Systems 1609 broken JavaScript code 729, 887, 1130, 1289, 1653
activation codes 1701 browsers cannot display some locale names 887, 1130,
active domestic master list 1289, 1653
exporting 815 configuring CVCA Administration 985
exporting CSCA certificates 817 configuring DV Administration 1447
uploading to the ICAO PKD 819 configuring Master List Signer services 785
viewing 812 configuring NPKD services 545
adding configuring SPOC services 1213
CA certificates to Apache HTTP Server for CVCA configuring the DV Web Service 1493
Administration 967 configuring the DVCKM 1475
CA certificates to Apache HTTP Server for DV configuring the PKD Reader Web Service 425
Administration 1361 configuring the PKD Writer Web Service 347
CA certificates to Apache HTTP Server for the NPKD CVCA Administration 79
services 532 deploying CVCA Administration 907
company logo to CVCA Administration 1110 deploying DV Administration 1305
company logo to DV Administration 1634 deploying PKD Writer DV Web Service 305
company logo to MLS Administration 716, 876 deploying the DV Web Service 1411
company logo to SPOC Administration 1278 deploying the DVCKM 1379
CSCA certificate from a foreign master list as a trust deploying the Master List Signer services 737
anchor 844 deploying the NPKD services 463
custom email notification service 1119, 1644 deploying the PKD Reader Web Service 385
CVCA Administration locale 1124 deploying the SPOC services 1161
CVCAs 1530 deployment overview 306, 386, 465, 739, 908, 1163,
DV Administration locale 1648 1306, 1380, 1412
DVs 1060 DV Web Service 56, 80
foreign CVCAs 1032 DVCKM 80
foreign master lists 829 HTML entities referenced by names 729, 887, 1130,
foreign SPOCs 1229 1289, 1653
Inspection Systems 1594 in a BAC system 55
locales to MLS Administration locale 884 in an EAC system 79
locales to NPKD Administration 724 installing CVCA Administration 926
locales to SPOC Administration locale 1286 installing DV Administration 1320
user for Verification Server 189 installing for a Master List Signer 751
administering installing the DV Web Service 1422
CVCA 1005 installing the DVCKM 1388
1707
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
installing the NPKD services 482 ASN.1
installing the PKD Reader Web Service 404 definition 1701
installing the PKD Writer Web Service 324 profile for Logical Data Structure Security Object 227
installing the SPOC services 1178 structure of Document Security Object 229
list of credentials 1687 assigning
MLS Administration 55 SSL certificates to a CVCA Administration Web site in
MLS Web Service 55 Microsoft IIS 957
NPKD Administration 56 SSL certificates to a DV Administration Web site in
NPKD Web Service 56 Microsoft IIS 1351
PKD Reader Web Service 55 SSL certificates to the CVCA Administration VirtualHost
PKD Writer Web Service 55 in Apache HTTP Server 964
queued operations 1105, 1629 SSL certificates to the DV Administration VirtualHost in
required Microsoft IIS features 468 Apache HTTP Server 1358
SPOC Administration 79 SSL certificates to the NPKD services VirtualHosts in
SPOC Domestic Web Service 80 Apache HTTP Server 529
SPOC Web Service 79 SSL certificates to the npkd Web site in Microsoft
synchronizing time settings with Security IIS 519, 522
Manager 307, 387, 470, 740, 913, 1164, assigning CSCA certificates in a master list as trust
1310, 1381, 1413 anchors 651
translating JSP services 1129, 1652 audit logs 1677
Apache HTTP Server audits 1677
adding CA certificates for CVCA Administration 967 authentication 1701
adding CA certificates for DV Administration 1361 authority reference 83
adding CA certificates for the NPKD services 532 for CVCA certificates 85
assigning SSL certificates to the CVCA Administration for DV certificates 85
VirtualHost 964 for Inspection System certificates 85
assigning SSL certificates to the DV Administration authorization code 1701
VirtualHost 1358 automatic CLR discovery from Document Signer
assigning SSL certificates to the NPKD services certificates
VirtualHosts 529 disabling 561
completing configuration for CVCA enabling 561
Administration 964
completing configuration for DV Administration 1358
completing configuration for the NPKD services 529 B
configuring SSL 201 BAC
configuring the VirtualHost directive 469, 912, 1309 Administration Services 55
Apache Tomcat architecture 50
component of Verification Server 62 CSCA 51
configuring SSL 199 definition 1701
security 197 Document Signer 51
architecture Document Signer Service 56, 59
BAC 50 Entrust products 53
EAC 74 ICAO Public Key Directory 51
archived domestic master lists Inspection Systems 52
exporting 824 Master List Signer 51
making the active domestic master list 826 master lists 51
viewing 821 overview 49
AS-install 42 Security Manager 54
Index 1709
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
draft domestic master lists 791 Offline Token Creation Utility logging 244
DV Administration 1447 PKD Reader Client authentication to a directory without
DV Administration to connect to the DVCA 1364 anonymous access 517
DV license information 1302 PKD Reader Server authentication to a directory
DV policy 1056, 1559 without anonymous access 422
DV Web Service 1493 PKD Reader settings using NPKD Administration 700
DV Web Service authentication to a directory without PKD Reader Web Service 425
anonymous access 1444 PKD Writer Server authentication to a directory without
DVCKM 1475 anonymous access 344
DVCKM authentication to a directory without PKD Writer Web Service 347
anonymous access 1407 secure audit log for NPKD services 569
email notification for CVCA Administration 992 Security Manager as a Master List Signer Services
email notification for DV Administration 1455 CA 734
email notification for DV Web Service 1495 Security Manager as a PKD Reader Services CA 382
email notification for DVCKM 1478 Security Manager as a PKD Writer Services CA 302,
email notification for PKD Reader 426 460
email notification for PKD Writer 348 Security Manager as a SPOC CA 1154
email notification for the NPKD services 550 Security Manager as CSCA 99
entrust.ini file for Verification Server 186 Security Manager as CVCA 894
foreign master lists 790 Security Manager as DV 1296
global assurance policy settings 704 Signature Delivery Service 212
how often DV Web Service checks for CSCA SMTP server settings for CVCA Administration 992
materials 1510 SMTP server settings for DV Administration 1455
incoming CSCA materials folder 1508 SMTP server settings for DV Web Service 1495
Inspection System policy 1590 SMTP server settings for DVCKM 1478
jurisdiction policy 1471 SMTP server settings for PKD Reader 426
LDAP page size for Document Signer certificate list SMTP server settings for PKD Writer 348
operations 560 SMTP server settings for the NPKD services 550
list operations in CVCA Administration 989 SPOC CA 1157
list operations in DVAdministration 1451 SPOC CA certificate 1157
logs for CVCA Administration 986 SPOC Client authentication to a directory without
logs for DV Administration 1448 anonymous access 1201
logs for DV Web Service 1494 SPOC Domestic Web Service authentication to a
logs for DVCKM 1476 directory without anonymous access 1205
logs for Master List Signer services 786 SPOC DVCKM Client authentication to a directory
logs for NPKD services 546 without anonymous access 1409
logs for PKD Reader services 435 SPOC message threads 1218
logs for PKD Writer Web Service 367 SPOC Server authentication to a directory without
logs for SPOC services 1214 anonymous access 1203
logs for the NPKD Validation Engine 548 SPOC services 1213
Master List Server authentication to a directory without SSL on Apache HTTP Server 201
anonymous access 774 SSL on Apache Tomcat 199
Master List Signer authentication to a directory without Verification Server for auditing 266
anonymous access 772 VirtualHost directive on Apache HTTP Server 469, 912,
Master List Signer services 785 1309
NPKD Server authentication to a directory without whether MLS Administration can create domestic
anonymous access 515 master lists 794
NPKD services 545, 710
Index 1711
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
configuring how often DV Web Service checks for new administering 1005
CSCA materials 1510 configuring key updates 1027
configuring the CSCA materials storage folder 1509 configuring license information 903
configuring the incoming CSCA materials folder 1508 configuring Security Manager 894
disabling 1507 configuring the DV policy 1056
enabling 1507 countersigning DV certificate requests 1085
providing latest domestic CSCA root certificate to DV definition 1703
Web Service 1513 deleting 1545
providing materials to DV Web Service 1514 deleting DVs 1081
CSR. See certificate request deleting foreign CVCAs 1039
customer support 45 deploying CVCA Administration 907
customizing disabling 1541
browser title 717, 877, 1111, 1279, 1635 disabling DVs 1076
CVCA Administration application title 1112 disabling foreign CVCAs 1035
CVCA Administration interface 1110 DV certificates 75
CVCA Administration online help 1114 enabling 1542
CVCA Administration styles 1118 enabling CVCAs 1079
Document Signer certificates 138 enabling foreign CVCAs 1037
DV Administration application title 1636 establishing trust with a DV 88
DV Administration interface 1634 exporting domestic CVCA certificates 1020
DV Administration online help 1638 exporting DV certificates 1099
DV Administration styles 1643 exporting foreign CVCA certificates 1050
Master List Signer certificates 143 files for the SPOC services 1177
MLS Administration application title 877 finding 1536
MLS Administration interface 876 finding DVs 1069
MLS Administration styles 880 importing foreign CVCA certificates 1042
NPKD Administration application title 718 initializing 904
NPKD Administration interface 716 installing 893
NPKD Administration styles 720 installing Security Manager 894
SPOC Administration application title 1279 link CVCA certificates 75
SPOC Administration interface 1278 listing 1534
SPOC Administration styles 1282 listing domestic CVCA certificates 1017
Verification Server log files 278 listing DV certificates 1096
CV certificates listing DVs 1066
authority reference 83 listing foreign CVCA certificates 1047
certificate lifetimes 82 listing foreign CVCAs 1033
certificate streams 85 modifying 1537
holder reference 83 modifying DVs 1071
overview 82 overview 75
sequence number algorithm 84 previewing DV certificate requests for
status 82 countersigning 1084
validation strings 86 previewing DV certificate requests for processing 1090
CVCA previewing EAC certificate requests 1103, 1627
activating CVCAs 1079 previewing EAC certificates 1103, 1627
activating foreign CVCAs 1037 processing DV certificate requests 1091
adding 1530 root CVCA certificates 75
adding DVs 1060 suspending 1541
adding foreign CVCAs 1032 suspending DVs 1076
Index 1713
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
requesting from foreign CVCAs 1236 defining locales 722, 882, 1122, 1284, 1646
root certificates 75 deleting
sending to a foreign CVCA 1243 CVCAs 1545
viewing 1550 DVs 1081
viewing domestic CVCA certificates 1017 foreign CVCAs 1039
viewing foreign CVCA certificates 1047 foreign master lists 847
cvca config set 1027, 1137 foreign SPOCs 1234
cvca config view 1027, 1140 inbound requests 1270
cvca dv add 1060, 1140 Inspection Systems 1611
cvca dv cert export 1100, 1143 outbound requests 1253
cvca dv cert list 1096, 1144 deploying
cvca dv cert view 1096, 1144 CVCA Administration 907
cvca dv certreq countersign 1086, 1145 Document Signer Service 163
cvca dv certreq presign 1085, 1145 DV Administration 1305
cvca dv certreq preview 1090, 1144 DV Web Service 1411
cvca dv certreq process 1091, 1144 DVCKM 1379
cvca dv config set 1056, 1146 Master List Signer services 737
cvca dv config view 1056, 1146 NPKD services 463
cvca dv delete 1082, 1141 PKD Reader Web Service 385
cvca dv disable 1077, 1141 PKD Writer Web Service 305
cvca dv enable 1080, 1141 SPOC services 1161
cvca dv list 1066, 1141 digital signature 1703
cvca dv modify 1071, 1141 Digital Signature Service 61
cvca dv search 1070, 1142 client samples 277
cvca dv view 1066, 1143 problems with Verification Server 283
cvca fcvca add 1032, 1147 securing access 197
cvca fcvca cert export 1051, 1147 security 197
cvca fcvca cert export-chain 1052, 1147 Digital Signature service
cvca fcvca cert import 1043, 1148 accessing 277
cvca fcvca cert list 1047, 1051, 1052, 1148 enabling 189
cvca fcvca cert view 1047, 1148 logging user names 198
cvca fcvca delete 1039, 1147 protecting 198
cvca fcvca disable 1036, 1147 directory 1703
cvca fcvca enable 1037, 1147 disabling
cvca fcvca list 1034, 1147 automatic CRL discovery from Document Signer
cvca fcvca view 1034, 1147 certificates 561
cvca identity 1015, 1136 CSCA materials distribution 1507
cvca init 904, 1134 CVCAs 1541
cvca key update 1030, 1149 DVs 1076
CVCA policy 1529 email notification for CVCA Administration 998
cvca util cert preview 1043, 1103, 1149 email notification for DV Administration 1461
cvca util certreq preview 1104, 1149 email notification for DV Web Service 1497
email notification for DVCKM 1481
email notification for PKD Reader 428
D email notification for PKD Writer 350
DDVKey 903 email notification for the NPKD services 552
DDVSerialNumber 903 foreign CVCAs 1035
DDVUserLimit 903 Inspection Systems 1607
Index 1715
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
listing 1066 creating DV administrators 1373
listing CVCA certificates 1550 creating roles for DV administrators 1371
listing CVCAs 1534 creating user policy for DV administrators 1368
listing DV certificate requests 1571 CRL cache timeout 1450
listing DV certificates 1581 customizing styles 1643
listing Inspection System certificates 1619 customizing the application title 1636
listing Inspection Systems 1598 customizing the browser title 1635
modifying 1071 customizing the interface 1634
modifying CVCAs 1537 customizing the online help 1638
modifying Inspection Systems 1602 deploying 1305
overview 76 disabling email notification 1461
previewing DV certificate requests 1613 DV Administration Server credentials 1311
processing DV certificate requests 1614 DV Administration XAP credentials 1315
suspending 1076 editing the online help 1639
suspending CVCAs 1541 email notification files 1457
suspending Inspection Systems 1607 enabling email notification 1461
viewing 1066 enabling email notification for the initial DV certificate
viewing CVCA certificates 1550 request for a foreign CVCA 1464
viewing CVCAs 1534 help files 1638
viewing DV certificate requests 1571 installing 1320
viewing DV certificates 1581 installing CA certificates in Microsoft IIS 1354
viewing Inspection System certificates 1619 list operations 1451
viewing Inspection Systems 1598 local folders 1647
viewing the current signing keys 1589 localizing 1645
viewing the domestic CVCA holder identity 1528 logging in 1523
viewing the DV holder identity 1527 modifying email notification message text 1468
DV Administration 1523 modifying email notification subject text 1468
add a custom notification service 1644 modifying user policy for DV administrators 1368
adding a company logo 1634 overview 80
adding CA certificates to Apache HTTP Server 1361 testing 1377
affected by roles 1524 translating 1649
assigning SSL certificates to a DV Administration Web troubleshooting localization 1652
site in Microsoft IIS 1351 updating DV Administration Server profile keys 1314
assigning SSL certificates to the DV Administration updating DV Administration XAP profile keys 1317
VirtualHost in Apache HTTP Server 1358 using 1525
changing the email format 1457 DV Administration Server credentials 1311
completing the Apache HTTP Server front-end creating a profile 1313
configuration 1358 creating a user entry 1311
completing the Microsoft IIS front-end updating profile keys 1314
configuration 1351 DV Administration XAP credentials 1315
configuring 1447 creating a profile 1316
configuring a jurisdiction policy 1471 creating a user entry 1315
configuring email notification 1455 creating Server Login credentials 1317
configuring list operations 1451 updating profile keys 1317
configuring logs 1448 DV administrators
configuring SMTP server settings 1455 creating 1373
configuring the date format 1454 creating a user policy for DV administrators 1368
connecting to the DVCA 1364 creating roles for DV administrators 1371
Index 1717
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
modifying email notification message text 1500 certificates. See also CV certificates 82
modifying email notification subject text 1500 CVCA 75
overview 80 definition 1703, 1704
providing CSCA materials 1514 DV 76
providing the latest domestic CSCA certificate 1513 Entrust products 78
updating DV Web Service profile keys 1417 holder identity 77
URL 1443 holder reference 83
DV Web Service credentials 1414 Inspection Systems 76
creating a profile 1417 overview 73
creating a user entry 1415 Security Manager 79
modifying the role 1414 sequence number algorithm 84
updating profile keys 1417 SPOC 76
DVCKM system components 78
configuring 1475 validation strings 86
configuring authentication to a directory without EAC certificate requests
anonymous access 1407 previewing at the CVCA 1103
configuring communications with SPOC Domestic Web previewing at the DV 1627
Service 1492 see also CV certificates
configuring email notification 1478 EAC certificate requests. See also CV certificates
configuring logs 1476 EAC certificates
configuring SMTP server settings 1478 previewing at the CVCA 1103
configuring the XAP message signing algorithm 1489 previewing at the DV 1627
deploying 1379 see also CV certificates
disabling email notification 1481 EAC certificates. See also CV certificates
DVCKM credentials 1382 editing
email notification files 1479 domestic master lists 799
enabling email notification 1481 foreign SPOCs 1232
files from the domestic SPOC 1387 EF.SOD. See Elementary File Document Security Object
installing 1388 Elementary File Document Security Object 1704
modifying email notification message text 1484 email notification
modifying email notification subject text 1484 adding a custom notification service 1119, 1644
overview 80 changing the email format for CVCA
updating DVCKM profile keys 1384 Administration 994
DVCKM credentials 1382 changing the email format for DV Administration 1457
creating a profile 1383 configuring for CVCA Administration 992
creating a user entry 1382 configuring for DV Administration 1455
updating profile keys 1384 configuring for DV Web Service 1495
configuring for DVCKM 1478
configuring for PKD Reader 426
E configuring for PKD Writer 348
EAC configuring for the NPKD services 550
Administration Services 79 configuring SMTP server settings for CVCA
architecture 74 Administration 992
audit logs 1677 configuring SMTP server settings for DV
authority reference 83 Administration 1455
certificate lifetimes 82 configuring SMTP server settings for DV Web
certificate status 82 Service 1495
certificate streams 85 configuring SMTP server settings for DVCKM 1478
Index 1719
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
Entrust Authority IS Client. See IS Client DV certificate requests 1575
Entrust Authority IS Concentrator. See IS Concentrator DV certificates 1099, 1585
Entrust Authority Security Manager. See Security Manager foreign CVCA certificates 1050
Entrust Datacard foreign master lists 839
Customer Support 45 Inspection System certificates 1622
Professional Services 45 master lists from the National PKD 647
Training 46 trust anchors from the National PKD 663
Entrust PKI administrator 1704 Extended Access Control. See EAC
Entrust products
BAC 53
EAC 78 F
Entrust profiles 64, 1704 FDVKey 903
expiry 273 FDVSerialNumber 903
see also profiles FDVUserLimit 903
updating 273 feedback 44
entrust.ini finding
checking for Administration Services 317, 394, 479, CVCAs 1536
747, 924, 1175, 1318, 1385, 1418 DVs 1069
configuring for Verification Server 186 Inspection Systems 1601
entrust-configuration.xml foreign CVCAs
Digital Signature service settings 293 activating 1037
global settings 288 adding 1032
location 287 deleting 1039
values 287 disabling 1035
entsh. See Security Manager Control Command Shell enabling 1037
ePassport - Document Signer 138, 141, 190 listing 1033
ePassport - Master List Signer 143, 146 suspending 1035
error format in Signature Delivery Service 223 viewing 1033
error logging 278 foreign master lists
establishing adding 829
trust between a CVCA and a DV 88 adding CSCA certificates as trust anchors 844
trust between a DV and an Inspection System 91 deleting 847
exit 1010, 1522 exporting 839
exporting exporting CSCA certificates 841
active domestic master list 815 location 790
all CSCA materials from a country in the National viewing 832
PKD 601 front-end Web server
archived domestic master lists 824 adding CA certificates to Apache HTTP Server for CVCA
assurance policies 708 Administration 967
CRLs from the National PKD 634 adding CA certificates to Apache HTTP Server for DV
CSCA certificates from foreign master lists 841 Administration 1361
CSCA certificates from the active domestic master adding CA certificates to Apache HTTP Server for the
list 817 NPKD services 532
CSCA certificates from the National PKD 663 assigning SSL certificates to a CVCA Administration
CVCA certificates 1553 Web site in Microsoft IIS 957
Document Signer certificates from the National assigning SSL certificates to a DV Administration Web
PKD 620 site in Microsoft IIS 1351
domestic CVCA certificates 1020
Index 1721
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
adding 1594 ISKey 1302
deleting 1611 ISSerialNumber 1302
disabling 1607 ISUserLimit 1302
enabling 1609
finding 1601
listing 1598 J
modifying 1602 JavaScript code 729, 887, 1130, 1289, 1653
suspending 1607 jurisdiction policy 1471
viewing 1598
installing
Administration Services for a Master List Signer 751 L
CA certificates in Microsoft IIS for the CVCA
LDAP page size for Document Signer certificate list
Administration 960
operations 560
CA certificates in Microsoft IIS for the DV
LDS. See Logical Data Structure
Administration 1354
license information
CA certificates in Microsoft IIS for the NPKD
CVCA 903
services 524
DV 1302
CSCA 95
listing
CVCA 893
countries in the National PKD 592
CVCA Administration 926
CRLs in the National PKD 625
DV 1295
CSCA certificates in the National PKD 655
DV Administration 1320
CVCA certificates 1550
DV Web Service 1422
CVCAs 1534
DVCKM 1388
Document Signer certificates in the National PKD 611
LDAP directory as the National PKD 450
domestic CVCA certificates 1017
Master List Signer Services CA 733
DV certificate requests 1571
National PKD manually 450
DV certificates 1096, 1581
NPKD services 482
DVs 1066
NPKD Services CA 459
foreign CVCA certificates 1047
PKD Reader Services CA 381
foreign CVCAs 1033
PKD Reader Web Service 404
Inspection System certificates 1619
PKD Writer Services CA 301
Inspection Systems 1598
PKD Writer Web Service 324
master lists in the National PKD 639
Security Manager as a CSCA 99
trust anchors in the National PKD 655
Security Manager as a CVCA 894
locale
Security Manager as a DV 1296
adding to CVCA Administration 1124
Security Manager as a Master List Signer Services
adding to DV Administration 1648
CA 734
adding to MLS Administration 884
Security Manager as a PKD Reader Services CA 382
adding to NPKD Administration 724
Security Manager as a PKD Writer Services CA 302,
adding to SPOC Administration 1286
460
cannot display in some Web browsers 887, 1130,
Security Manager as a SPOC CA 1154
1289, 1653
SPOC CA 1153
CVCA Administration locale folders 1123
SPOC services 1178
defining 722, 882, 1122, 1284, 1646
Web server for Administration Services 467, 910, 1307
DV Administration locale folders 1647
Internet Engineering Task Force 1704
MLS Administration locale folders 883
IS Client 58, 81
NPKD Administration locale folders 723
IS Concentrator 58, 81
overview 722, 882, 1122, 1284, 1646
Index 1723
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
creating Master List Signer administrators 779 disabling 793
deploying the Master List Signer services 737 enabling 793
files from the CSCA 749 master lists
installing a CA for Master List Signer services 733 adding a CSCA certificate from foreign master list as a
installing Administration Services 751 trust anchor 844
installing Security Manager for the Master List Signer adding foreign master lists 829
services 734 administering 797
Master List Client credentials 744 creating domestic master lists 799
Master List Server credentials 741 deleting foreign master lists 847
Master List Signer credentials 148 editing domestic master lists 799
modifying user policy for Master List Signer exporting archived domestic master lists 824
administrators 776 exporting CSCA certificate from foreign master
overview 51 lists 841
profile 148 exporting CSCA certificates from the active domestic
updating Master List Signer profile keys 151 master list 817
Master List Signer administrators exporting foreign master lists 839
creating 779 exporting from the National PKD 647
modifying a user policy for Master List Signer exporting the active domestic master list 815
administrators 776 importing into the National PKD 690
Master List Signer certificates 143 listing in the National PKD 639
Master List Signer credentials 148 making an archived domestic master lists the active
creating a profile 150 domestic master list 826
creating a user entry 148 managing in the National PKD 639
updating profile keys 151 overview 51
Master List Signer Policy 146 removing from the National PKD 649
Master List Signer service uploading the active domestic master list to the ICAO
configuring whether MLS Administration can create PKD 819
domestic master lists 794 viewing archived domestic master lists 821
Master List Signer services viewing assurance level details in the National PKD 644
configuring 785 viewing detailed information in the National PKD 641
configuring domestic master lists 788 viewing foreign master lists 832
configuring draft domestic master lists 791 viewing the active domestic master list 812
configuring foreign master lists 790 Master Users 1006, 1518
configuring logs 786 message formats in Signature Delivery Service 220
configuring the location of domestic master lists 788 message processing in Signature Delivery Service 219
configuring the location of draft domestic master Microsoft IIS 519, 957, 1351
lists 791 assigning SSL certificates to a CVCA Administration
configuring the location of foreign master lists 790 Web site 957
configuring the number of archived domestic master assigning SSL certificates to a DV Administration Web
lists 788 site 1351
configuring the number of draft domestic master assigning SSL certificates to the npkd Web site 519,
lists 791 522
deploying 737 installing CA certificates for CVCA Administration 960
disabling Master List Signer Web Service 793 installing CA certificates for DV Administration 1354
enabling Master List Signer Web Service 793 installing CA certificates for the NPKD services 524
Master List Client credentials 744 required features for Administration Services 468
Master List Server credentials 741 MLS Administration
Master List Signer Web Service adding a company logo 716, 876
Index 1725
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
managing Document Signer certificates 611 exporting assurance policies 708
managing master lists 639 exporting CRLs from the National PKD 634
managing trust anchors 655 exporting CSCA certificates from the National PKD 663
manually deploying 449 exporting Document Signer certificates from the
monitoring 588 National PKD 620
object classes 455 exporting master lists from the National PKD 647
removing CRLs 637 exporting trust anchors from the National PKD 663
removing CSCA certificates 666 importing CSCA materials from PKD Reader into the
removing Document Signer certificates 623 National PKD 696
removing master lists 649 listing countries in the National PKD 592
removing trust anchors 666 listing CRLs in the National PKD 625
required entries 457 listing CSCA certificates in the National PKD 655
schema 451 listing Document Signer certificates in the National
viewing assurance level details about a CRL 631 PKD 611
viewing assurance level details about a CSCA listing master lists in the National PKD 639
certificate 660 listing trust anchors in the National PKD 655
viewing assurance level details about a Document locale folders 723
Signer certificate 617 localizing 721
viewing assurance level details about a master list 644 logging in 572
viewing assurance level details about a trust managing countries in the National PKD 592
anchor 660 managing CRLs in the National PKD 625
viewing detailed information about a country 596 managing CSCA certificates in the National PKD 655
viewing detailed information about a CRL 627 managing Document Signer certificates in the National
viewing detailed information about a CSCA PKD 611
certificate 657 managing master lists in the National PKD 639
viewing detailed information about a Document Signer managing PKD Reader 693
certificate 613 managing trust anchors in the National PKD 655
viewing detailed information about a master list 641 modifying user policy for NPKD administrators 535
viewing detailed information about a trust anchor 657 monitoring the National PKD 588
nonrepudiation 1705 overview 56
NPKD Administration removing CRLs from the National PKD 637
assigning CSCA certificates in a master list as trust removing CSCA certificates from the National PKD 666
anchors 651 removing Document Signer certificates from the
configuring assurance policy settings for a country in National PKD 623
the National PKD 603 removing master lists from the National PKD 649
configuring global assurance policy settings 704 removing trust anchors from the National PKD 666
configuring NPKD services 710 testing 543
creating user policy for NPKD administrators 535 translating 726
customizing styles 720 troubleshooting localization 729
customizing the application title 718 using grids 573
customizing the browser title 717 viewing assurance level details about a CRL in the
customizing the interface 716 National PKD 631
dashboard 588 viewing assurance level details about a CSCA certificate
downloading CSCA materials from ICAO PKD into PKD in the National PKD 660
Reader 702 viewing assurance level details about a Document
editing PKD Reader settings 700 Signer certificate in the National PKD 617
exporting all CSCA materials from a country in the viewing assurance level details about a master list in the
National PKD 601 National PKD 644
Index 1727
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
recovering profiles 253 updating PKD Reader Server profile keys 390
writing profiles to an HSM 260 viewing the status 693
OID 1705 PKD Reader Client
online help configuring authentication to a directory without
customizing for CVCA Administration 1114 anonymous access 517
customizing for DV Administration 1638 profile 391
editing for CVCA Administration 1115 updating profile keys 478
editing for DV Administration 1639 PKD Reader Client credentials 391
files for CVCA Administration 1114 creating a profile 392
files for DV Administration 1638 creating a user entry 391
updating the CVCA Administration application updating profile keys 393
title 1116 PKD Reader Server
updating the CVCA Administration browser title 1115 configuring authentication to a directory without
updating the DV Administration application title 1640 anonymous access 422
updating the DV Administration browser title 1640 profile 388
outbound requests PKD Reader Server credentials 388
deleting 1253 creating a profile 389
generating 1236 creating a user entry 388
viewing 1249 updating profile keys 390
PKD Reader services
configuring logs 435
P PKD Reader Services CA
passwords installing 381
changing a profile password using Verification PKD Reader Web Service 55
Server 274 configuring 425
PKCS #11 library 1705 deploying 385
PKD Reader installing 404
configuring email notification 426 PKD Writer
configuring Security Manager as a PKD Reader Services configuring email notification 348
CA 382 configuring Security Manager as a PKD Writer Services
configuring SMTP server settings 426 CA 302, 460
deploying the PKD Reader Web Service 385 configuring SMTP server settings 348
disabling email notification 428 deploying the PKD Writer Web Service 305
downloading CSCA materials from ICAO PKD 702 disabling email notification 350
editing settings using NPKD Administration 700 email notification files 349
email notification files 427 enabling email notification 350
enabling email notification 428 installing a PKD Writer Services CA 301
importing CSCA materials into the National PKD 696 installing Security Manager as a PKD Writer Services
installing a PKD Reader Services CA 381 CA 302, 460
installing Security Manager as a PKD Reader Services installing the PKD Writer Web Service 324
CA 382 modifying email notification message text 353
installing the PKD Reader Web Service 404 modifying email notification subject text 353
managing using NPKD Administration 693 PKD Writer Client credentials 312
modifying email notification message text 431 PKD Writer Server credentials 308
modifying email notification subject text 431 updating PKD Writer Client profile keys 314
PKD Reader Client credentials 391 updating PKD Writer Server profile keys 310
PKD Reader Server credentials 388 PKD Writer Client
updating PKD Reader Client profile keys 393 profile 312
Index 1729
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
S ASN.1 structure of Document Security Object 229
client programming tasks 226
SDS.ini 212 configuring 212
searching. See finding error format 223
Secure Sockets Layer. See SSL health query 225
securing access to the Digital Signature Service 197 how it works 69
security classes 1133, 1655 implementing the sample client code 226
Security Manager message formats 220
configuring as a CSCA 99 message processing 219
configuring as a CVCA 894 operational flow 69
configuring as a DV 1296 overview 57
configuring as a Master List Signer Services CA 734 request format 220
configuring as a PKD Reader Services CA 382 response format 222
configuring as a PKD Writer Services CA 302, 460 SDS.ini 212
configuring as a SPOC CA 1154 security concerns and safeguards for sample client
configuring CVCA license information 903 code 227
configuring DV license information 1302 using 211
in a BAC system 54 signature validation when retrieving CSCA materials
in an EAC system 79 disabling 564
initializing a CVCA 904 enabling 564
initializing a DV 1303 signing private key 1706
installing as a CSCA 99 Single Point of Contact. See SPOC
installing as a CVCA 894 SOAP 1706
installing as a DV 1296 SOD. See Document Security Object
installing as a Master List Signer Services CA 734 SOLDS. See Logical Data Structure Security Object
installing as a PKD Reader Services CA 382 SPOC
installing as a PKD Writer Services CA 302, 460 adding foreign SPOCs 1229
installing as a SPOC CA 1154 administering 1223
Security Manager Control Command Shell creating SPOC administrators 1208
Security Manager Control Command Shell 1006, 1518 deleting foreign SPOCs 1234
CVCA command reference 1133 deleting inbound requests 1270
dv command reference 1655 deleting outbound requests 1253
logging in 1006, 1518 deploying the SPOC services 1161
logging out 1010, 1522 editing foreign SPOCs 1232
Master Users 1006, 1518 files for the DVCKM 1387
security classes 1133, 1655 files from the CVCA 1177
sending generating outbound requests 1236
CVCA certificates to a foreign CVCA 1243 installing SPOC services 1178
general messages to foreign SPOCs 1247 message threads 1218
sequence number algorithm 84 modifying user policy for SPOC administrators 1207
Server Login 1705 overview 76
Server Login credentials providing with domestic CVCA certificates 1227
creating 191 requesting CVCA certificates from foreign CVCAs 1236
creating for a CVCA Administration XAP profile 920 requesting DV certificates from a foreign CVCA 1240
creating for a DV Administration XAP profile 1317 sending CVCA certificates to a foreign CVCA 1243
servlet 1706 sending general messages to foreign SPOCs 1247
Signature Delivery Service 69 SPOC DVCKM Client credentials 1224
ASN.1 profile for Logical Data Structure Security updating SPOC DVCKM Client profile keys 1226
Object 227
Index 1731
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
NPKD Administration 543 CSCA keys 153
SSL-enabled Web server 911, 1308 CVCA Administration online help application title 1116
Web server 468 CVCA Administration online help browser title 1115
Tomcat. See Apache Tomcat CVCA Administration Server profile keys 917
training 46 CVCA Administration XAP profile keys 920
translating CVCA key pair 1030
CVCA Administration 1126 DV Administration online help application title 1640
DV Administration 1649 DV Administration online help browser title 1640
email notification templates 729, 1129, 1652 DV Administration Server profile keys 1314
JSP pages 1129, 1652 DV Administration XAP profile keys 1317
MLS Administration 885 DV Web Service profile keys 1417
NPKD Administration 726 DVCKM profile keys 1384
SPOC Administration 1287 Master List Client profile keys 746
troubleshooting Master List Server profile keys 743
broken JavaScript code 729, 887, 1130, 1289, 1653 Master List Signer profile keys 151
HTML entities referenced by name 729, 887, 1130, NPKD Server profile keys 475
1289, 1653 PKD Reader Client profile keys 393, 478
localization in CVCA Administration 1129 PKD Reader Server profile keys 390
localization in DV Administration 1652 PKD Writer Client profile keys 314
localization in MLS Administration 887 PKD Writer Server profile keys 310
localization in NPKD Administration 729 SPOC Client profile keys 1174
localization in SPOC Administration 1289 SPOC Domestic Web Service profile keys 923
tips 281 SPOC DVCKM Client profile keys 1226
translating email notification templates 729, 1129, SPOC Server profile keys 1171
1652 uploading the active domestic master list to the ICAO
Verification Server 278 PKD 819
Web browsers cannot display some locale names 887, URL
1130, 1289, 1653 DV Web Service 1443
trust anchor SPOC Domestic Web Service 1200
adding from foreign master lists 844 SPOC WSDL 1199
see also CSCA certificates user 1706
trust anchors user policy
exporting from the National PKD 663 creating for CVCA administrators 974
importing into the National PKD 684 creating for DV administrators 1368
listing in the National PKD 655 creating for NPKD administrators 535
managing in the National PKD 655 modifying for CVCA administrators 974
removing from the National PKD 666 modifying for DV administrators 1368
viewing assurance level details in the National PKD 660 modifying for Master List Signer administrators 776
viewing detailed information in the National PKD 657 modifying for NPKD administrators 535
typographic conventions 41 modifying for SPOC administrators 1207
using
Signature Delivery Service 211
U
UAL file 1706
updating
V
CA certificate 133 validation strings 86, 1706
CA keys 133 verification public key 1706
CSCA certificate 153 Verification Server 61
Index 1733
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -
customizing the NPKD Administration browser testing 911, 1308
title 717 testing the Web server 468
customizing the SPOC Administration browser Web service 1706
title 1279 writing profiles to an HSM using Offline Token Creation
Web server Utility 260
adding CA certificates to Apache HTTP Server for CVCA WSDL 1706
Administration 967
adding CA certificates to Apache HTTP Server for DV
Administration 1361 X
adding CA certificates to Apache HTTP Server for the X.509 1706
NPKD services 532 XAP message signing algorithm
assigning SSL certificates to a CVCA Administration configuring for DV Web Service 1506
Web site in Microsoft IIS 957 configuring for DVCKM 1489
assigning SSL certificates to a DV Administration Web XML 1706
site in Microsoft IIS 1351
assigning SSL certificates to the CVCA Administration
VirtualHost in Apache HTTP Server 964
assigning SSL certificates to the DV Administration
VirtualHost in Apache HTTP Server 1358
assigning SSL certificates to the NPKD services
VirtualHosts in Apache HTTP Server 529
assigning SSL certificates to the NPKD Web site in
Microsoft IIS 519, 522
completing Apache HTTP Server configuration for
CVCA Administration 964
completing Apache HTTP Server configuration for DV
Administration 1358
completing Apache HTTP Server configuration for the
NPKD services 529
completing Microsoft IIS configuration for CVCA
Administration 957
completing Microsoft IIS configuration for DV
Administration 1351
completing Microsoft IIS configuration for the NPKD
services 519
component of Verification Server 62
configuring the VirtualHost directive on Apache HTTP
Server 469, 912, 1309
enabling SSL 467, 910, 1307
installing CA certificates in Microsoft IIS for CVCA
Administration 960
installing CA certificates in Microsoft IIS for DV
Administration 1354
installing CA certificates in Microsoft IIS for the NPKD
services 524
installing the Web server 467, 910, 1307
Microsoft IIS features required for Administration
Services 468
Index 1735
- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z -