Tivoli Public Key Infrastructure - publib.boulder.ibm.compublib.boulder.ibm.com/tividd/td/PKI/GC32-0472-03/en_US/PDF/iaugmst.pdf · ¶ If you are a marketing manager, this book shows

Tivoli® Public Key InfrastructureUp and RunningVersion 3 Release 7.1

Tivoli® Public Key InfrastructureUp and RunningVersion 3 Release 7.1

Tivoli Public Key Infrastructure Up and Running

Copyright Notice

Copyright © 1999, 2001 by Tivoli Systems Inc., an IBM Company, including thisdocumentation and all software. All rights reserved. May only be used pursuant to a TivoliSystems Software License Agreement or Addendum for Tivoli Products to IBM Customer orLicense Agreement. No part of this publication may be reproduced, transmitted, transcribed,stored in a retrieval system, or translated into any computer language, in any form or by anymeans, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, withoutprior written permission of Tivoli Systems. Tivoli Systems grants you limited permission tomake hardcopy or other reproductions of any machine-readable documentation for your ownuse, provided that each such reproduction shall carry the Tivoli Systems copyright notice. Noother rights under copyright are granted without prior written permission of Tivoli Systems.The document is not intended for production and is furnished “as is” without warranty of anykind.

All warranties on this document are hereby disclaimed including the warranties ofmerchantability and fitness for a particular purpose.

Trademarks

The following product names are trademarks of Tivoli Systems Inc. or InternationalBusiness Machines Corp. in the United States, other countries, or both: AIX, DB2,DB2 Universal Database, IBM, Netfinity, RS/6000, SecureWay, Tivoli, WebSphere.

The Tivoli PKI program (″the Program″) includes portions of the IBM WebSphereApplication Server and the IBM HTTP Web Server (″IBM Servers″). You are notauthorized to install or use the IBM Servers other than in connection with yourlicensed use of the Program. The IBM Servers must reside on the same machine asthe Program, and you are not authorized to install or use the IBM Servers separatefrom the Program.

The Program includes portions of DB2 Universal Database. You are authorized toinstall and use these components only in association with your licensed use of theProgram and IBM WebSphere Application Server for the storage and management ofdata used or generated by the Program and IBM WebSphere Application Server, andnot for other data management purposes. For example, this license does not includeinbound connections to the database from other applications for queries or reportgeneration. You are authorized to install and use these components only with and onthe same machine as the Program.

Microsoft, Internet Explorer, Windows, Windows NT, and the Windows logo aretrademarks or registered trademarks of Microsoft Corporation.

UNIX is a registered trademark in the United States and other countries licensedexclusively through The Open Group.

Java and all Java-based trademarks or logos are trademarks of Sun Microsystems,Inc.

Pentium is a trademark of Intel Corporation in the United States, other countries, orboth.

iiiTivoli PKI Up and Running

This program contains security software from RSA Data Security, Inc.Copyright © 1994 RSA Data Security, Inc. All rights reserved.

This program contains Standard Template Library (STL) software fromHewlett-Packard Company. Copyright (c) 1994.

¶ Permission to use, copy, modify, distribute and sell this software and itsdocumentation for any purpose is hereby granted without fee, provided that theabove copyright notice appear in all copies and that both that copyright noticeand this permission notice appear in supporting documentation. Hewlett-PackardCompany makes no representations about the suitability of this software for anypurpose. It is provided ″as is″ without express or implied warranty.

This program contains Standard Template Library (STL) software from SiliconGraphics Computer Systems, Inc. Copyright (c) 1996–1999.

¶ Permission to use, copy, modify, distribute and sell this software and itsdocumentation for any purpose is hereby granted without fee, provided that theabove copyright notice appear in all copies and that both that copyright noticeand this permission notice appear in supporting documentation. Silicon Graphicsmakes no representations about the suitability of this software for any purpose. Itis provided ″as is″ without express or implied warranty.

Other company, product, and service names may be trademarks or service marks ofothers.

iv Version 3 Release 7.1

NoticesReferences in this publication to Tivoli Systems or IBM products, programs, or services donot imply that they will be available in all countries in which Tivoli Systems or IBMoperates. Any reference to these products, programs, or services is not intended to imply thatonly Tivoli Systems or IBM products, programs, or services can be used. Subject to TivoliSystem’s or IBM’s valid intellectual property or other legally protectable right, anyfunctionally equivalent product, program, or service can be used instead of the referencedproduct, program, or service. The evaluation and verification of operation in conjunction withother products, except those expressly designated by Tivoli Systems or IBM, are theresponsibility of the user.

Tivoli Systems or IBM may have patents or pending patent applications covering subjectmatter in this document. The furnishing of this document does not give you any license tothese patents. You can send license inquiries, in writing, to the IBM Director of Licensing,IBM Corporation, North Castle Drive, Armonk, New York 10504-1785, U.S.A.

The following paragraph does not apply to the United Kingdom or any other countrywhere such provisions are inconsistent with local law:

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS ORIMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFNON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULARPURPOSE. Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes areperiodically made to the information herein; these changes will be incorporated in neweditions of the information. IBM may make improvement and/or changes in the product(s)and/or the program(s) described in this information at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience onlyand do not in any manner server as an endorsement of those Web sites. The materials atthose Web sites are not part of the materials for this IBM product and use of those Web sitesis at your own risk.

vTivoli PKI Up and Running

vi Version 3 Release 7.1

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiiWho Should Read This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Related Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

What This Guide Contains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

What’s New in this Release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Conventions Used in This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Contacting Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Tivoli PKI Web Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Chapter 1. Understanding Tivoli PKI . . . . . . . . . . . . . . . . . . . . . 1What is Tivoli PKI? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Tivoli PKI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Registration Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Audit Subsystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Database System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4758 Cryptographic Coprocessor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Key Back Up and Recovery Facility . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Bulk Certificate Issuance Facility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

PKIX CMP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

LDAP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Object Stores. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

viiTivoli PKI Up and Running

||

||

||

||

||

||

||

||

||

||

Trust Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Code Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Message Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Data Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

KeyStores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Supported Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

X.509 Version 3 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 2. System Requirements . . . . . . . . . . . . . . . . . . . . . . . 23Server Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Server Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Setup Wizard Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 3. Planning for Tivoli PKI . . . . . . . . . . . . . . . . . . . . . . . 29Installation Planning Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Securing the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Using Firewall Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Working with Tivoli PKI Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Configuring IP Aliases for the Web Server . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Working with the Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Directory Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Directory Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Working with the 4758 Coprocessor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Storing the CA or RA Keys in Hardware . . . . . . . . . . . . . . . . . . . . . . . 44

Integration with Policy Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Supported Server Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

International Environment Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Tivoli PKI Media Package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

viii Version 3 Release 7.1

||

Chapter 4. Installing Tivoli PKI on AIX . . . . . . . . . . . . . . . . . . 49Setting Up AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Verifying Filesets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Verifying Adequate Paging Spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Applying the Fix Level to AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Setting Up AIX Volume Groups and File Systems . . . . . . . . . . . . . . . . 53

Creating a CD-ROM File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Changing the Number of AIX System Users . . . . . . . . . . . . . . . . . . . . 54

Ensuring Host Name Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Creating a System Image. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Installing the Database Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Installing DB2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Installing IBM® Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Installing the Directory Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Installing Java . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Creating the WebSphere Application Server Database. . . . . . . . . . . . . . . . . . 61

Installing the Web Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Installing WebSphere Application Server . . . . . . . . . . . . . . . . . . . . . . . 62

Upgrading WebSphere Application Server . . . . . . . . . . . . . . . . . . . . . . 63

Disabling IBM HTTP Server Automatic Startup . . . . . . . . . . . . . . . . . . . . . . 64

Starting WebSphere Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Installing the 4758 Coprocessor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Installing Tivoli PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Installing KeyWorks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Installing the Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Multiple Machine Installation Guidelines . . . . . . . . . . . . . . . . . . . . . . . 69

Changing Bootstrap Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Running the Post-installation Configuration Program . . . . . . . . . . . . . . 76

ixTivoli PKI Up and Running

||

||

||

||

||

||

Post-installation Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Running the Backup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Chapter 5. Installing Tivoli PKI on Windows NT . . . . . . . . 79Setting Up Windows NT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Installing the Database Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Installing the Web Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Installing the JDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Installing IBM HTTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Install WebSphere Application Server. . . . . . . . . . . . . . . . . . . . . . . . . . 86

Setting Up IP Aliases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Installing IBM Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Installing Directory Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Using the Directory with Tivoli PKI . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Confirming System Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Installing Tivoli PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Installing the Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Changing Bootstrap Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Running the Post-installation Configuration Program . . . . . . . . . . . . . . 94

Post-installation Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Running the Backup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Chapter 6. Configuring Tivoli PKI . . . . . . . . . . . . . . . . . . . . . . . 99

Chapter 7. Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

RA Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Registration and Certification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

x Version 3 Release 7.1

||

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

xiTivoli PKI Up and Running

xii Version 3 Release 7.1

Preface

This book provides you with the information you need to becomeproductive with a Tivoli Public Key Infrastructure (Tivoli PKI)system. It discusses the following topics:

¶ How your organization can use Tivoli PKI to conduct encrypted,authenticated, and confidential transactions over the Internet.Using the Tivoli PKI registration facility, you can easily issuedigital certificates to trusted parties and control whether or not acertificate is renewed or revoked.

¶ Guidelines to help you plan for Tivoli PKI, such as how tointegrate Tivoli PKI components with other products installed atyour site.

¶ Procedures for installing the product on an IBM® AIX® platformor under Microsoft® Windows NT®.

¶ Pointers to other documents that can help you use the Tivoli PKIuser interfaces and administration tools.

Note: This release of the product only supports AIX platforms. Youshould ignore all material discussing Microsoft Windows.

Who Should Read This GuideThis book addresses a varied audience.

¶ If you are a marketing manager, this book shows you how toincorporate Tivoli PKI into your organization’s electronicbusiness (e-business) strategy.

¶ If you are a security manager, this book shows you how toincorporate Tivoli PKI into your organization’s network securitystrategy.

¶ If you are a system administrator, this book assumes that youhave experience installing and configuring products in a networkenvironment. You should be knowledgeable about the followingconcepts:

v Hardware installation and configuration

xiiiTivoli PKI Up and Running

|

|||

|||||

|||

||

||

||

|

|

|||

|||

||||

|

v Internet communications protocols, in particular TCP/IP andSecure Sockets Layer (SSL)

v Web server administration

v Public key infrastructure (PKI) technology, includingDirectory schemas, the X.509 version 3 standard, and theLightweight Directory Access Protocol (LDAP)

v Relational database systems, in particular IBM DB2Universal Database®

Related InformationThe Tivoli PKI product documentation is available in PortableDocument Format (PDF) and HTML format at the Tivoli Web site.HTML versions of some publications are installed with the productand are accessible from the user interfaces.

Be aware that the product may have changed since the publicationswere produced. For the latest product information, and forinformation about accessing a publication in the language and formatof your choice, see the Release Notes. The latest version of theRelease Notes is available at the Tivoli Public Key InfrastructureWeb site:http://www.tivoli.com/support

The Tivoli PKI library includes the following documentation:

Up and RunningThis book provides an overview of the product. It lists theproduct requirements, includes installation procedures, andprovides information about how to access the online helpavailable for each product component. This book is printedand distributed with the product.

System Administration GuideThis book contains general information about administeringthe Tivoli PKI system. It includes procedures for starting andstopping the servers, changing passwords, administering theserver components, performing audits, and running dataintegrity checks.

xiv Version 3 Release 7.1

||

|

|||

||

|

||||

||||||

|

|

||||||

||||||

http://www.tivoli.com/support

Configuration GuideThis book contains information about how to use the SetupWizard to configure a Tivoli PKI system. You can access theHTML version of this guide while viewing online help forthe Wizard.

Registration Authority Desktop GuideThis book contains information about how to use the RADesktop to administer certificates throughout the certificatelife cycle. You can access the HTML version of this guidewhile viewing online help for the Desktop.

User’s GuideThis book contains information about how to obtain andmanage certificates. It provides procedures for using theTivoli PKI browser enrollment forms to request, renew, andrevoke certificates. It also discusses how to preregister forPKIX-compliant certificates.

Customization GuideThis book shows you how to customize the Tivoli PKIregistration facility to support the registration andcertification goals of your business policies. For example,you can learn how to customize HTML and Java® Serverpages, notification letters, certificate profiles, and policyexits.

What This Guide ContainsThis guide contains the following information:

¶ “Understanding Tivoli PKI” on page 1 briefly describes thefeatures and capabilities of Tivoli PKI, its components,architecture, and supported standards.

¶ “System Requirements” on page 23 describes the hardware andsoftware requirements necessary to successfully install andoperate Tivoli PKI.

¶ “Planning for Tivoli PKI” on page 29 presents generalinformation about Tivoli PKI features and detailed informationabout the components you must configure.

xvTivoli PKI Up and Running

|||||

|||||

||||||

|||||||

|

|

|||

|||

|||

¶ “Installing Tivoli PKI on AIX” on page 49 gives proceduralinformation for installing Tivoli PKI on an AIX platform.

¶ “Installing Tivoli PKI on Windows NT” on page 79 givesprocedural information for installing Tivoli PKI on a machinerunning Windows NT.

¶ “Configuring Tivoli PKI” on page 99 overviews theconfiguration process and the documentation you use to performthe configuration tasks.

¶ “Getting Started” on page 101 discusses topics, procedures, andtools you use to administer and customize various aspects ofTivoli PKI.

¶ “Glossary” on page 107 defines the terms and abbreviations inthis book that may be new or unfamiliar and terms that may beof interest.

What’s New in this ReleaseTivoli PKI 3.7.1 consists of the following new features andfunctions:

¶ Bulk certificate issuance. This feature provides a secure methodfor an authenticated user to request multiple digital certificateswith one call to Tivoli PKI.

¶ Certificate Management Protocol (CMP) Version 2. Thisupgrade to CMP Version 2 provides Tivoli PKI with increasedreliability in CMP state transitions as well as an increased levelof security than CMP Version 1, which was previouslyimplemented in Tivoli PKI.

¶ Root CA key rollover. This feature enables the CertificateAuthority (CA) to do a change-over from one non-compromisedCA key pair to the next CA key pair (referred to as CA keyupdate).

¶ LDAP Version 3 compatibility. This feature offers schemacompatibility with Lightweight Directory Access Protocol(LDAP) Version 3. In particular, it provides the ability of

xvi Version 3 Release 7.1

||

|||

|||

|||

|||

|

||

|||

|||||

||||

|||

publishing attributes to LDAP using the directory schemadefined by RFC 2256. Schemas from PKIX LDAP Version 2 arestill supported.

¶ HSM storage for RA keys. This feature enables the RA keys tobe stored in a hardware security module (HSM) component,offering increased security capability for the RA’s signing keys.

Changes in the documentation for this release are identified by arevision bar in the margin.

Note: Tivoli PKI 3.7.1 only supports AIX. It does not supportWindows NT for this release.

Conventions Used in This GuideThis guide uses different typeface conventions for special terms andactions. The conventions have the following meaning:

Convention Meaning

BoldCommands, keywords, flags, and other information thatyou must use literally appear in bold.

ItalicsVariables that you must provide and new terms appear initalics. Words and phrases that are emphasized alsoappear in italics.

MonospaceCode examples, output, and system messages appear in amonospace font.

Contacting Customer SupportIf you encounter difficulties with any Tivoli products, you can enterhttp://www.support.tivoli.com to view the Tivoli Support homepage. After you link to and submit the customer registration form,you can access many customer support services on the Web.

Use the following phone numbers to contact customer support in theUnited States: the Tivoli number is 1–800–848–6548(1-800–TIVOLI8) and the IBM® number is 1–800–237–5511 (press

xviiTivoli PKI Up and Running

|||

|||

||

||

|

||

|||

|||

||||

||||

|

||||

|||


or say 8 after you reach this number). Both of these numbers directyour call to the Tivoli Customer Support Call Center.

We are very interested in hearing from you about your experiencewith Tivoli products and documentation. We welcome yoursuggestions for improvements. If you have comments or suggestionsabout this documentation, please send e-mail to [email protected].

Tivoli PKI Web InformationTivoli and IBM Tivoli customers can find online information for anyTivoli security product and Tivoli PKI.

For important information about last-minute product updates andservice information, about Tivoli PKI, start at this Web site:http://www.tivoli.com/support/secure_download_bridge.html

For information about the Tivoli Public Key Infrastructure product,visit this Web site:http://www.tivoli.com/products/index/secureway_public_key/

For information about other Tivoli security management products,visit this Web location:http://www.tivoli.com/products/solutions/security/

xviii Version 3 Release 7.1

||

||||

|

||

|||

|||

|||

http://www.tivoli.com/support/secure_download_bridge.html

http://www.tivoli.com/products/index/secureway_public_key/

http://www.tivoli.com/products/solutions/security/

Understanding Tivoli PKI

This chapter provides an overview of Tivoli Public KeyInfrastructure (Tivoli PKI). It discusses the features and capabilitiesof Tivoli PKI, its components, architecture, and supported standards.

What is Tivoli PKI?Tivoli Public Key Infrastructure provides applications with themeans to authenticate users and ensure trusted communications. Thefollowing are some features of Tivoli PKI:

¶ It allows organizations to issue, publish, and administer digitalcertificates in accordance with their registration and certificationpolicies.

¶ Support for Public Key Infrastructure for X.509 version 3(PKIX) and Common Data Security Architecture (CDSA)cryptographic standards allows for vendor interoperability.

¶ Digital signing and secure protocols provide the means toauthenticate all parties in a transaction.

¶ Browser-based registration capabilities provide maximumflexibility.

¶ Encrypted communications and secure storage of registrationinformation help ensure confidentiality.

A Tivoli PKI system can run on IBM AIX/6000 (AIX) andMicrosoft Windows NT server platforms. It includes the followingkey features:

1

1Tivoli PKI Up and Running

||

1.U

nd

erstand

ing

Tivoli

PK

I

¶ A trusted Certificate Authority (CA) manages the life cycle ofdigital certification. To validate the authenticity of a certificate,the CA digitally signs each certificate it issues. The CA alsosigns certificate revocation lists (CRLs) to confirm that acertificate is no longer valid. To further protect the CA’s signingkey, you can use cryptographic hardware, such as the IBM 4758PCI Cryptographic Coprocessor.

¶ A Registration Authority (RA) handles the administrative tasksof user registration. The RA ensures that only certificates thatsupport your business activities are issued, and these certificatesare issued only to authorized users. The administrative tasks canbe handled through automated processes or humandecision-making. Similar to the CA, the RA can also usecryptographic hardware, such as the IBM 4758 PCICryptographic Coprocessor to further protect its signing key.

¶ A Web-based enrollment interface makes it easy to obtaincertificates for browsers, servers, virtual private network (VPN)devices, smart cards, and secure e-mail.

¶ A Web-based administration interface, the RA Desktop enablesauthorized registrars to approve or reject enrollment requests andadminister certificates after they have been issued.

¶ An Audit subsystem computes a message authentication code(MAC) for each audit record. If audit data is altered or deletedafter it has been written to the audit database, the MAC enablesyou to detect the intrusion.

¶ Policy exits and business process objects (BPOs) enableapplication developers to customize the registration processes.

¶ Integrated support for a cryptographic engine. To authenticatecommunications, the core Tivoli PKI components are signedwith a factory-generated private key. Security objects, such askeys and MACs, are encrypted and stored in protected areascalled KeyStores.

¶ Integrated support for IBM Directory. The Directory storesinformation about valid and revoked certificates in anLDAP-compliant format.

2 Version 3 Release 7.1

||||||||

¶ Integrated support for IBM WebSphere™ Application Server andIBM HTTP Server. The Web server works with the RA server toencrypt messages, authenticate requests, and transfer certificatesto the intended recipient.

¶ Integrated support for IBM DB2 Universal Database.

ComponentsThe following diagram shows a Tivoli PKI system in which theserver programs are distributed among three machines. In yourorganization, all three servers might co-exist on a single machine.

RA ObjectStore

CA ObjectStore

CADatabase

DB / File

RegistrationDatabase

ConfigurationDatabase

AuditDatabase

CA andAudit

Servers

DirectoryServer

HTTP/S

HTTP/SPKIX CMP via TCP

LDAP

DirectoryDatabase

4758Card

4758Card

EnrollmentBrowser

RADesktop

HTTP

SERVER

Tivoli PKIand

RA Servers

Figure 1. Tivoli PKI component configuration


1.U

nd

erstand

ing

Tivoli

PK

I

Tivoli PKI ServerThe Tivoli PKI server is the central server that ties the othercomponents together. It maintains the configuration database andprovides utilities for administering the system.

Registration AuthorityThe Registration Authority (RA) is the server component thatmanages the registration process. The RA ensures certificates areissued to approved entities only. The RA also ensures certificates areused for approved purposes only. The primary tasks for an RAinclude the following:

¶ Confirming the identity of the requesting entity

¶ Verifying that the applicant is entitled to a certificate thatcontains the requested attributes and permissions

¶ Approving or rejecting requests to create, renew, or revokecertificates

¶ Verifying that an entity that attempts to access a secureapplication or resource holds the private key that is associatedwith the certificate’s public key

Similar to the Tivoli PKI CA, the RA can use cryptographichardware, such as the IBM 4758 PCI Cryptographic Coprocessor toprovide added security for its signing keys.

In Tivoli PKI, the registration facility installed on the RA serverprovides the framework to support a wide range of registrationactivities. When you configure the system, you establish aregistration domain that governs the business policies, certificatepolicies, and resources in accordance with your organization’spreferred registration and certification practices.

EnrollmentThe RA provides support for a variety of enrollment protocols andcertificate types. Enrollment features include:

¶ The use of a DB2 database to log encrypted registration andcertificate data.


|||||

|||

¶ Support for manual and automated registration approvalprocesses.

¶ A collection of Java-based enrollment forms that allow users torequest and obtain certificates through their own Web browsers.The enrollment process authenticates the client and serveridentities and delivers certificates to approved entities, withend-to-end encryption of all requested data. The enrollmentprocess includes:

v The delivery of certificates through the Secure Sockets Layer(SSL) for use with applications that are accessed from a Webbrowser or Web server.

v The delivery of certificates through the PKIX CertificateManagement Protocol (CMP) for use in a PKIX clientapplication, or to store on smart cards.

v The delivery of certificates that support the Internet ProtocolSecurity standard (IPSec) for use with secure VPNapplications or IPSec-enabled devices.

v The delivery of certificates that support Secure MultipurposeInternet Mail Extensions (S/MIME) for use with securee-mail applications.

v The delivery of notification letters that inform applicantsabout the approval or rejection of a request.

¶ A collection of certificate profiles that make it easy for users toobtain the type of certificate they need. The profiles define theintended purpose of the certificate and the certificate’s validityperiod. Based on information in the template, the RA is able todeliver a certificate in the proper format with the necessarycertificate content.

For information about the certificate types and certificateextensions supported by the RA, see “Supported Standards” onpage 18 and “X.509 Version 3 Certificates” on page 20.

¶ Support for preregistration, a process that enables one user,typically an administrator, to request a PKIX-compliantcertificate for another user.


||||||

|||

|||

|||

|||

||

|||

1.U

nd

erstand

ing

Tivoli

PK

I

¶ Support for policy exits and Business Process Objects (BPOs),which enable organizations to call their own programs during theenrollment process. The RA includes a sample policy exit thatperforms automated approval processing.

Refer to the IBM Redbook, Working with Business ProcessObjects for Tivoli SecureWay PKI, SG24-6043-00 for guidanceon developing and customizing business process objects (BPOs)to suit your own unique business requirements.

For complete information about using a Web browser to enroll forcertificates, see the Tivoli PKI User’s Guide. That book alsodescribes the types of certificates provided in the default installationof Tivoli PKI.

AdministrationThe Registration Authority Desktop (RA Desktop) applet allowsauthorized administrators (also known as registrars) to reviewapplications for certificates, approve or reject requests, renewcertificates, and permanently or temporarily revoke certificates. Itsupports such tasks as:

¶ Retrieving pending enrollment requests

¶ Querying the registration database to retrieve and act on recordsthat match certain criteria

¶ Reviewing detailed information about a certificate or a request,such as the history of all actions taken since a request was firstsubmitted

¶ Setting the validity period of a certificate

¶ Annotating a record to explain the reason for an action

The RA Desktop is a secure applet. To access it, a user must firstbecome an authorized registrar. Tivoli PKI provides a tool tofacilitate this process. You can add any number of registrars tosupport your registration work load.

When you add a registrar, you identify the registration domain andspecify the user’s privileges. For example, you may allow one


||||

||||

registrar to approve and reject requests only, but allow anotherregistrar to revoke certificates as well.

¶ For information about installing, accessing, and using the RADesktop applet, see the Tivoli PKI RA Desktop Guide.

¶ For information about authorizing registrars, see the Tivoli PKISystem Administration Guide.

CustomizationYou can use the registration facility provided with Tivoli PKIwithout customizing it. However, you probably want to change someof the enrollment forms or registration processes to reflect yourorganization’s specific goals for digital certification. For example,you may want to display your corporate logo on the browserenrollment form. You may also want to change certificate profiles tosupport extensions that are relevant to the class of users, servers, ordevices you plan to enroll.

After you install and configure Tivoli PKI, you can copy many ofthe files that define your registration domain and customize them foryour business purposes. Be sure to make a backup copy beforechanging a file.

You can copy or update the following registration facility files.During configuration, these files are created in the directory pathestablished for your registration domain.

¶ The configuration files (file type .cfg) installed in the etcsubdirectory. For example, you may want to adjust a runtimesetting for the RA server or RA Desktop.

¶ The sample notification letters (file type .ltr) installed in the etcsubdirectory. Tivoli PKI provides sample text to inform userswhen a request has been approved or rejected but you may wantto write your own.

¶ The HTML files (file type .html), graphics (file type .gif), andJava Server Pages (file type .jsp) installed in the webpagessubdirectory. For example, you may want to alter the text andgraphics displayed in the browser enrollment forms. You can


1.U

nd

erstand

ing

Tivoli

PK

I

also customize an existing certificate profile or define a new oneto support your organization’s certificate policies.

¶ The policy exit (policy_exit) installed in the bin subdirectory.Tivoli PKI provides this exit as an example of how to handleautomated approval processing. You can write other exits tointegrate registration processing with your other applications orto process your own registration actions.

For information about changes you can make to your registration andcertification processes, and for instructions on how to do so, see theTivoli PKI Customization Guide.

For additional information on customization topics, refer to the IBMRedbook, Working with Business Process Objects for TivoliSecureWay PKI, SG24-6043-00 for guidance on developing andcustomizing business process objects (BPOs) to suit your ownunique business requirements.

Certificate AuthorityThe Certificate Authority (CA) is the server component that managesthe certification process. The CA acts as a trusted third party forusers who engage in e-business. The CA validates the identity ofusers through the certificates it issues. In addition to proving theidentity of the user, the certificate includes a public key that enablesthe user to verify and encrypt communications.

The trustworthiness of the parties depends on the trust that is placedin the CA that issued the certificate. To ensure the integrity of acertificate, the CA digitally signs the certificate. Attempts to alter acertificate invalidates the signature and renders it unusable.

The Tivoli PKI CA provides a secure transaction environment bydoing the following:

¶ Ensure the uniqueness of a certificate. The CA generates a serialnumber for each new certificate and for each renewed certificate.This serial number is a unique identifier that is not stored as partof the distinguished name (DN) in the certificate.


|||||

¶ Track the certificates it issues. The CA maintains an issuedcertificate list (ICL). The ICL stores a secure copy of eachcertificate, indexed by serial number, in a DB2® database.

¶ Track revoked certificates. The CA creates and updatescertificate revocation lists (CRLs). The CA and RA exchangemessages as soon as the revocation occurs, which enables theRA to update the Directory during the next periodic update. TheCA digitally signs all CRLs to validate their integrity.

¶ Protect against data tampering. The CA generates a messageauthentication code (MAC) for each record written to thedatabase. The MAC helps ensure the integrity of the database byenabling you to detect when data in it has been altered ordeleted.

¶ Protect the CA’s signature. The CA can be integrated with theIBM 4758 PCI Cryptographic Coprocessor. The 4758 uses acryptographic key stored in hardware to encrypt and protect theCA’s signing key.

¶ Support the update (rollover) of the CA key pair and certificatein order to prevent expiration.

¶ Support auditing and data recovery. The CA generates auditrecords for numerous auditable events. The Audit server storesthese records in a DB2 database.

¶ If your organization has discrete applications for which a singleCA would suffice, Tivoli PKI supports self-signed CAcertificates. In this scenario, the CA is responsible for all of thecertification activity within its administrative domain.

¶ If your organization has interleaving or hierarchical chains ofauthority, you can configure the CA to work with other CAs.

v A Tivoli PKI CA can cross-certify with another CA and agreeto accept certificates signed by that CA as proof ofauthenticity. Cross-certification allows entities in one CA’sadministrative domain to communicate securely with entitiesin another CA’s administrative domain.

v A Tivoli PKI CA can serve as a root CA to sign other CAcertificates. It also supports requests from other CAs that


||

1.U

nd

erstand

ing

Tivoli

PK

I

want to sign its CA certificate. This enables the CA toparticipate in a trust hierarchy; the CA agrees to acceptcertificates that are signed by any CA above it in thehierarchy as proof of authenticity.

Such trust models are useful, for example, for separatinggeographical areas and organizational units into distinctadministrative domains. It also enables you to apply differentcertificate policies to different sections of the organization.

¶ If your organization needs certificates for purposes not alreadysupported through the Tivoli PKI certificate profiles, the CA cangenerate and validate certificates with customer-definedextensions.

See the Tivoli PKI Customization Guide for information aboutdefining new certificate profiles and certificate extensions.

For more detailed information about the Tivoli PKI CA, see theTivoli PKI System Administration Guide. This book containsguidelines for adjusting runtime options for the CA server, andprocedures for establishing cross-certified and hierarchical CA trustmodels.

Audit SubsystemIn Tivoli PKI, the Audit subsystem provides support for loggingsecurity-relevant actions. The Audit server handles the followingaudit-related activity:

¶ Receives audit events from audit clients, such as the RegistrationAuthority and Certificate Authority.

¶ Writes the events to an audit log that is typically stored in aDB2 database (you can choose to store the log as a data file).There is one record in the log per audit event.

¶ Allows the audit clients to mask certain audit events. Althoughsome events are always logged, you can employ masking toprevent other events from being reported. This allows you tocontrol the size of the audit logs and ensure that the loggedevents are of interest in your environment.


¶ Computes a message authentication code (MAC) for each auditrecord. The MAC helps ensure the integrity of the databasecontents. For example, you can determine whether a record hasbeen altered, tampered with, or deleted since it was logged.

¶ Provides a tool for performing integrity checks on the auditdatabase and archived audit records.

¶ Provides a tool for archiving and signing the current state of theaudit database. For security purposes, you should archive theaudit database and store it off-site on a periodic basis. Archivingthe database can also provide performance benefits and conservedisk space.

The Audit server must be installed on the same machine with theCertificate Authority. After installing and configuring the system, seethe Tivoli PKI System Administration Guide for information aboutusing the audit tools and administering the Audit server.

Web ServerTivoli PKI uses the IBM WebSphere Application Server to provide atrusted base for network transactions. WebSphere is a security-awarecollection of products, including the IBM HTTP Server, that supportsthe deployment of advanced e-business applications.

In a Tivoli PKI system, you must install the Web server software onthe same machine as the Registration Authority. It provides a secureboundary between protected programs and the users who attempt toaccess them. Using Hypertext Transfer Protocols (HTTP andHTTPS) and Secure Sockets Layer (SSL) technology, the Web servercan encrypt communications between the clients and the server. Itcan also authenticate connections to prevent unauthorized access ordata tampering.

The Web server uses different ports to handle different types ofrequests:

¶ A public port for requests that do not require encryption orauthentication


1.U

nd

erstand

ing

Tivoli

PK

I

¶ A secure port for requests that require encryption and serverauthentication

¶ A secure port for requests that require encryption, serverauthentication, and client authentication

In a Tivoli PKI system, the Web server handles all requests that itreceives from a Web browser. This includes requests for newcertificates, requests to renew or revoke existing certificates, andrequests to run secure applets. If needed, it performs authenticationbefore allowing any exchange of information to take place.

Database SystemIBM DB2 Universal Database (DB2) is the Tivoli PKI storage base.The server components maintain separate databases for configurationdata, registration data, certificate data, audit data, and Directory data.DB2 offers extensive security features and storage capacity. Forexample, DB2 enables Tivoli PKI to store registration data in anencrypted format and to perform integrity checks on stored auditrecords.

The version of DB2 required by Tivoli PKI is included in the TivoliPKI media package. Before installing the Tivoli PKI server code,you must ensure that the database software is available on eachmachine where you plan to install a server component. Duringinstallation and configuration, Tivoli PKI creates the neededdatabases for you.

Directory ServerIBM Directory maintains information about certificates in acentralized location. Through its integration with IBM DB2, theDirectory can support millions of directory entries. It also allowsclient applications, such as Tivoli PKI, to perform database storage,update, and retrieval transactions.

In Tivoli PKI, the RA server publishes the following information inthe Directory:

¶ Public key certificates, which are used for encryption andauthentication


¶ The attributes associated with a distinguished name (the owner’sroles and privileges)

¶ Certificate revocation lists that include the serial numbers of allrevoked certificates

¶ Information about the CA that signs the certificates, includingthe business and certificate policies associated with thecertificate

4758 Cryptographic CoprocessorWhen a CA issues a certificate, the CA’s signature certifies that theuser is authorized to access the services for which the userregistered. To prevent unauthorized users from obtaining certificatesand gaining access to sensitive resources, you must protect the CA’ssigning key. Similar security considerations apply with regard to thekey pairs generated by the RA.

Software solutions can provide a high degree of security to thesigning key through encryption. However, because the key must beexposed to generate the signature, this approach exposes the key tocapture by unauthorized users.

The IBM 4758 PCI Cryptographic Coprocessor is special hardwarethat can be used in a Tivoli PKI system to protect CA and RA keys.The 4758 coprocessor performs extensive RSA- and DES-basedcryptographic functions within an enclosed, tamper-detecting,high-security processor aboard the hardware. The coprocessorprovides cryptographic data protection, key management, and customapplication support. The coprocessor also supports the MD5 andSHA-1 hash algorithms. These features enable the 4758 coprocessorto be industry-compliant for standards and applications requiringhardware security module (HSM) capability.

In a single machine Tivoli PKI installation, the CA and RA mayeach have their own 4758 coprocessor card, or they may each shareone single 4758 coprocessor card. You specify how the card isconfigured when you run the Setup Wizard.


||||||

||||||||||

1.U

nd

erstand

ing

Tivoli

PK

I

Note: Support for the 4758 coprocessor is provided only in the AIXversion of Tivoli PKI.

Refer to the Tivoli PKI System Administration Guide and the productdocumentation for additional information on the 4758 coprocessor.

RecommendationAlthough the 4758 coprocessor is not required, IBMrecommends that you install it on the same server where youplan to install the Certificate Authority. If you rely on softwareto protect the CA keys, you cannot later install the hardwaresupport without also reinstalling the Tivoli PKI software.

Key Back Up and Recovery FacilityTivoli PKI provides a key back up and recovery request facility thatenables back up and recovery of end-entity certificates andcorresponding private keys certified by Tivoli PKI.

This facility enables recovery of a lost, forgotten, or otherwiseunobtainable certificate and private key. Consider the followingscenario: An employee routinely backs up certificates and privatekeys and then suddenly leaves the company, failing to return allprivate keys required to access the certificates. By issuing a recoveryrequest, you can retrieve that information.

The backup process requires the user creates a PKCS #12 file. Thisfile contains the user’s certificate and private key. The user issues abackup request from a supported browser using the PKCS #12 file asinput. The key recovery database, krbdb, gets updated and containsthe access information. Key recovery works in a similar manner: Youissue a recovery request specifying the password for the PKCS #12file you backed up. Once the request is approved by the RAAdministrator, you can download the file.

Bulk Certificate Issuance FacilityTivoli PKI provides a bulk certificate issuance facility that enablesthe customer to enroll, create, and post to Lightweight Directory


|

||

Access Protocol (LDAP) many end-entity certificates in a single,automated process. This facility requires a properly-formatted inputfile containing certificate data, including the public key. The processreads the input into the enrollment database, then sends the requeststo the CA for certificate generation, and finally posts the user dataand certificate to the Directory. The bulk certificate issuance facilitycan be run as a single process or it can be separated into theindividual processes, depending on the customer’s business model.This facility is described in detail in the Tivoli PKI SystemAdministration Guide.

ArchitectureThe following sections discuss the Tivoli PKI architecturalframework and the protocols that it supports.

Public Key InfrastructureThe public key infrastructure (PKI) provides applications with aframework for performing the following types of security-relatedactivities:¶ Authenticate all parties that engage in electronic transactions.¶ Authorize access to sensitive systems and repositories.¶ Verify the author of each message through its digital signature.¶ Encrypt the content of all communications.

The PKIX standard evolved from PKI to support the interoperabilityof e-business applications. Its primary advantage is that it enablesorganizations to conduct secure electronic transactions without regardfor operating platform or application software.

The PKIX implementation in Tivoli PKI is based on the CommonData Security Architecture (CDSA) from Intel. CDSA supportsmultiple trust models, certificate formats, cryptographic algorithms,and certificate repositories. Its primary advantage is that it enablesorganizations to write PKI-compliant applications that support theirbusiness policies.


||||||||||

1.U

nd

erstand

ing

Tivoli

PK

I

PKIX CMP ProtocolTivoli PKI uses the PKIX Certificate Management Protocol (CMP)for communications between the RA and CA servers, and forcommunications between the RA server and clients. While CMP usesTCP/IP as its primary transport mechanism, an abstraction layer oversockets exists. This enables support for additional polling transports.

CMP defines message formats to support the entire certificate lifecycle. It also specifies how message protection must be handledindependent of the transport mechanism.

CMP Version 2, supported in this of Tivoli PKI, helps promoteinteroperability involving multiple-vendor CAs as they perform suchfunctions as issuance, revision, and revocation of digital certificates.This support also provides for increased security and message sizes.

LDAP ProtocolTo provide applications with access to its centralized server services,the IBM Directory supports the Lightweight Directory AccessProtocol (LDAP). LDAP is a protocol derived from the X.500standard. LDAP uses TCP/IP, and controls access to the directorythrough the use of distinguished names and passwords. Because itsupports SSL connections, LDAP can encrypt messages and performmutual authentication of clients and servers.

In Tivoli PKI, the RA server uses LDAP to communicate with theDirectory server. The RA publishes certificates, certificate revocationlists, and other information about registered entities and certificationpolicies in the Directory on a scheduled periodic basis.

In this release of Tivoli PKI, compatibility with LDAP Version 3object classes and schemas is provided. Existing Tivoli PKIapplications that use PKIX LDAP Version 2 schemas can continueusing existing schemas and object classes.

Object StoresEach Tivoli PKI component has an object store. The object store is adisk-based repository for persistent objects. It stores transactions inprogress and state information about those transactions. The objects


|

|||||

|||

||||

||||

can be active control objects (such as certificates, requests, andCRLs) or surrogates. A surrogate is an area where state data aboutthe object is saved.

Because objects in the object store are stored in an ASN.1–encodedformat, retrieval and storage can be a relatively expensive operation.The object store caches modifications to objects, and does not updatethe disk storage until a change in object state occurs, or until a userinterface alters the object.

To minimize the overhead that is associated with ASN.1 parsing,Tivoli PKI uses an object-cache layer above the object store thatperforms a write-through cache of object store objects. As a result,an object only requires parsing the first time it is referred to after aserver restart.

The object-cache layer provides an additional per-object storage areawhich is not disk-based. Tivoli PKI uses this area for storingtransient, security-related information, such as the passwordprotecting a preregistration record. The object cache can also lockrecord objects to protect against simultaneous access by multiplethreads.

Trust ModelSecurity in a Tivoli PKI system is accomplished through the use ofcode signing, message signing, data encryption, and the securestorage of keys and passwords.

Code SigningCore Tivoli PKI code is signed at the time it is manufactured. Whencode is signed with a factory-generated private key, it becomes astatic and protected object. It cannot be altered or replaced withoutdetection. Other code objects are able to use the correspondingpublic key and the internal verification library to authenticate thecommunication before any exchange of data takes place.


1.U

nd

erstand

ing

Tivoli

PK

I

Message SigningTo provide even greater authentication services, the configurationprocess generates signing keys for the RA, CA, and Audit servers,ensuring that all inter-component communications are signed. Forexample, all messages exchanged between the RA and CA can beauthenticated on the basis of each component’s signature.

Data EncryptionAll information stored in KeyStores is encrypted. DB2 also encryptsmuch of the information stored in the Tivoli PKI databases.

KeyStoresTivoli PKI provides support for KeyStores, secure areas that storeprivate keys, certificates, message authentication codes (MACs), andother security-relevant objects. Distinct KeyStores exist for the CAand Audit components and for several server agents that help carryout server transactions. Information in each KeyStore is encryptedand accessible only through a password that is established for thatKeyStore.

This trust model helps ensure system integrity by protecting objectsthat are stored in KeyStores. It also helps ensure the confidentialityof those objects by allowing only a trusted system component—onethat was signed with a factory-generated key—to access theKeyStore and the encrypted data within.

During configuration, you set two passwords, the cfguser passwordand the Control Program password. These passwords can be thesame or different. After configuration, you must set a uniquepassword for each KeyStore. See the Tivoli PKI SystemAdministration Guide for information about using the ChangePassword utility to make these changes.

Supported StandardsTivoli Public Key Infrastructure supports the following standards forpublic key cryptography.


Component Standard

RegistrationAuthority

¶ Secure Sockets Layer (SSL) version 2 and version 3, with clientauthentication

¶ PKCS #10 browser and server certificate format, with aBase64–encoded PKCS #7 response

¶ PKIX CMP certificate format, with a PKIX CMP response¶ IPSec certificate format¶ S/MIME certificate format¶ Browser certificates for:

v Microsoft Internet Explorer versions 4.x and 5.xv Netscape Navigator and Netscape Communicator versions 6.x

¶ Server certificates for:v Netscape Enterprise Serverv Microsoft Internet Information Server

¶ Smart card certificates (PKCS #11 interface) for Netscape Navigatorand Netscape Communicator versions 6.x

¶ LDAP standard for communications with the Directory¶ PKIX CMP via TCP/IP for communications with the Certificate

Authority

CertificateAuthority

¶ X.509v3 certificates¶ Certificate revocation lists (CRLv2)¶ Key lengths up to 1024 bits for encryption and key exchange keys¶ Key lengths up to 2048 bits for CA signing keys¶ RSA algorithms for encryption and signing¶ MD5 and SHA-1 hash algorithms¶ PKIX CMP via TCP/IP for communications with the Registration

Authority

IBM Directory LDAP version 3.2, with RFC 1779 syntax

IBM 4758 PCICryptographicCoprocessorHardware

¶ FIPS 140 level 4 requirements for resistance to physical attacks¶ Support for industry-accepted cryptography standards:

v DES for encryption/decryptionv RSA for signing/signature verificationv PKCS #1 block type 00v PKCS #1 block type 01v PKCS #1 block type 02v MD5 and SHA-1 hash algorithmsv X9.9 and X9.23 ANSIv ISO 9796


|||

||

1.U

nd

erstand

ing

Tivoli

PK

I

Component Standard

IBM CCACryptographicCoprocessorSupport Program

Provides services for the 4758 coprocessor, including the securegeneration of RSA key pairs with modulus lengths as long as 2048 bits,and:¶ SET™ (Secure Electronic Transaction)¶ DES for encryption and decryption¶ RSA for signing and signature verification¶ MD5 and SHA-1 hash algorithms

X.509 Version 3 CertificatesTivoli PKI certificates support most of the fields and extensionsdefined in the X.509 version 3 (X.509v3) standard. This supportenables the certificates to be used for most cryptographic purposes,such as SSL, IPSec, VPN, and S/MIME.

Tivoli PKI certificates can include the following types of extensions:

Standard ExtensionsThe standard X.509v3 certificate extensions, such as keyusage, private key usage period, subject alternative name,basic constraints, and name constraints.

Common ExtensionsExtensions that are unique to Tivoli PKI, such as hostidentity mapping. This extension associates the subject of acertificate with a corresponding identity on a host system.

Private ExtensionsExtensions that an application can use to identify an onlinevalidation service that supports the issuing CA.

To support your organization’s registration policies, Tivoli PKI alsoprovides the means for you to customize and define certificateextensions. For example, you can change the extensions that arespecified in the default certificate profiles, or create profiles thatreturn certificates with different extensions.


For complete information about creating or customizing certificateextensions and certificate profiles, see the Tivoli PKI CustomizationGuide.


1.U

nd

erstand

ing

Tivoli

PK

I


System Requirements

Your operating environment must meet the software and hardwarerequirements that are discussed in the following sections. For thelatest information about system requirements, see the Tivoli PublicKey Infrastructure (PKI) Release Notes. The Release Notes maycontain information that supersedes the product publications.

To obtain the most current Release Notes, access the Tivoli PublicKey Infrastructure Web site.

Server Software RequirementsTo distribute the work load among processors, and to support yourorganization’s existing system configuration, you can install theTivoli PKI server programs on multiple machines. For a discussionof different ways you might want to set up Tivoli PKI in yourenvironment, see “Supported Server Configurations” on page 46.

The following table summarizes the Tivoli PKI operating system andsoftware requirements.

Product Notes

One of the following operatingsystems:¶ IBM AIX/6000® (AIX), version

4.3.3 Maintenance Level 6¶ Microsoft Windows NT, version

4.0 with Service Pack 5

¶ Required.¶ You must install all Tivoli PKI

server programs on the sameplatform. You cannot mix AIXand Windows NT machines in asingle Tivoli PKI installation.

2


||

2.S

ystemR

equ

iremen

ts



Product Notes

IBM DB2 Universal Database,version 6.1 Fix Pack 4

¶ Required; provided in the TivoliPKI media package.

¶ A unique database exists foreach Tivoli PKI servercomponent. Before installingTivoli PKI, you must installDB2 on each machine that youplan to use as a Tivoli PKIserver.

IBM WebSphere Application Server,Standard Edition, version 3.5Program Temporary Fix (PTF) 4.Includes the IBM HTTP Server,version 1.3.12.3 and Sun JavaDevelopment Kit (JDK), version1.2.2 Program Temporary Fix (PTF)8

¶ Required; provided in the TivoliPKI media package.

¶ Before installing Tivoli PKI,you must install the Web serversoftware on the same machinewhere you plan to install theRegistration Authority.

IBM Directory, version 3.1.1.5 ¶ Required; provided in the TivoliPKI media package.

¶ Before installing Tivoli PKI,you must install the Directorysoftware. You can install it onthe same machine with TivoliPKI, or you can install it on aremote machine.

¶ IBM 4758 PCI CryptographicCoprocessor

¶ IBM 4758 CCA SupportProgram, version 2.2.1.0

¶ Optional; Available only forAIX systems; you must orderthis product through normalIBM ordering channels.

¶ Before installing Tivoli PKI,you must install the 4758hardware and support programon the server where you plan toinstall the Certificate Authorityor the Registration Authority.

¶ The 4758 cryptographic cardrequires a PCI bus on theRS/6000®.


||||||||

|||||||

||||||

Server Hardware RequirementsThe machine configuration you choose for Tivoli PKI depends onyour anticipated business activity and whether you intend to useTivoli PKI on AIX or Windows NT.

¶ If you plan to run Tivoli PKI on an AIX system, you mustinstall it on an IBM RISC System/6000® (RS/6000

®

) machine.

¶ If you plan to run Tivoli PKI on a Windows NT system, IBMrecommends that you install it on an IBM Netfinity

®

Server.

Use the following definitions as a guideline when assessing yourcapacity and throughput requirements:

Small Production or Test EnvironmentA site that issues hundreds of certificates per day. This maybe a system set up to issue certificates to employees throughan intranet, or a system set up for test and applicationdevelopment purposes.

Medium Production EnvironmentA site that issues thousands of certificates per day. This maybe a system that is set up by small and medium businessesto issue certificates over the Internet.

Large Production EnvironmentA site that issues thousands of certificates per day. This maybe a system that is set up by a large business to issuecertificates over the Internet. It may also be a system thatprovides third-party CA services to other organizations.


2.S

ystemR

equ

iremen

ts

The following table summarizes the recommended machinerequirements for a small production environment. You should adaptyour physical machine configuration in accordance with youranticipated processing needs.

Platform MachineType

Processors Disk Space Memory

AIX RS/6000 1 (233MHz)

4 GB 256 MB

NT PC 1 (IntelPentium®

300 MHz)

2 GB 256 MB

Setup Wizard RequirementsIBM recommends the following workstation configuration forrunning the Tivoli PKI configuration applet (Setup Wizard).

¶ The following physical machine setup:v Intel Pentium processor with at least 64MB of RAMv A computer display that supports 1024x768 or higher

resolutions at 65536 colors

¶ One of the following operating systems:v Microsoft Windows® 95v Microsoft Windows 98v Microsoft Windows NT

¶ A Web browser that supports JDK 1.1–based applets, such as thefollowing:v Netscape Navigator or Netscape Communicator, version 4.7x

only.


|

||||

||||

Note: Netscape Navigator or Netscape Communicator,version 6 is not supported for the configuration appletor the RA Desktop. Netscape Navigator or NetscapeCommunicator, version 6 is only supported forcertificate operations such as enrollment, renewal,revocation, and backup and recovery.

v Microsoft Internet Explorer, version 5.0 or later

You must install the official version of the browser as distributedby Netscape or Microsoft. Versions obtained from third-partyvendors may not display information correctly, especially whenrunning an applet in a language other than English.

See the Tivoli PKI Configuration Guide for complete informationabout running the Setup Wizard and configuring your Tivoli PKIsystem.

Client RequirementsTo determine whether your workstation meets the requirements forusing a browser to request and manage certificates, see the TivoliPKI User’s Guide.

To determine whether your workstation meets the requirements forrunning the Tivoli PKI RA Desktop, see the Tivoli PKI RA DesktopGuide.


|||||||

||||

|||

2.S

ystemR

equ

iremen

ts


Planning for Tivoli PKI

This chapter discusses how Tivoli Public Key Infrastructure (PKI)interacts with its prerequisite products. Before you try to install anysoftware or configure your system, review the checklist in“Installation Planning Checklist” on page 30. After you ensure youhave satisfied those items in the checklist, review the remainingtopics in this chapter. This chapter also includes guidelines forpreparing the operating environment for using Tivoli PKI. Thischapter includes the following topics:

¶ How to secure the system physically and protect it fromunauthorized electronic intrusion

¶ How to configure IP aliases for the Web server to support yourorganization’s firewall requirements

¶ How Tivoli PKI creates and uses databases

¶ How Tivoli PKI interacts with the Directory

¶ How Tivoli PKI interacts with the 4758 coprocessor

¶ How Tivoli PKI interacts with Policy Director

¶ Suggested server configurations for running Tivoli PKI in amultiple machine environment

¶ National language considerations for running Tivoli PKI in yourorganization’s language locale

¶ A summary of the CDs provided in the Tivoli PKI productdistribution package

3


3.P

lann

ing

for

Tivoli

PK

I

Installation Planning ChecklistThe following checklist identifies items you need to facilitate asuccessful Tivoli PKI installation. Review the items in this checklistand check (U) them off once you have satisfied the requirement.

Item Description Comments Completed?U

Product Training Tivoli PKI Contact your IBM orTivoli representative fordetails.

IBM 4758 PCICryptographicCoprocessor

Contact your IBM orTivoli representative fordetails.


|

|||

||||||

|||||

|

|||

|||

|


Server SoftwareRequirements

One of the followingoperating systems:¶ IBM AIX/6000

(AIX), version 4.3.3Maintenance Level6

¶ Microsoft WindowsNT, version 4.0 withService Pack 5

IBM DB2 UniversalDatabase version 6.1 FixPack 4

Required; provided inthe Tivoli PKI mediapackage.

IBM WebSphereApplication Server,Standard Edition version3.5 Program TemporaryFix 4. Includes the IBMHTTP Server version1.3.12.3 and Sun JavaDevelopment Kit (JDK)version 1.2.2 ProgramTemporary Fix 8.


IBM Directory version3.1.1.5


IBM Global Security KitSSL Runtime Toolkit(GSKit) version4.0.3.116


IBM KeyWorks version1.1.3.1


¶ IBM 4758 PCICryptographicCoprocessor

¶ IBM 4758 CCASupport Program,version 2.2.1.0.

Optional; Available onlyfor AIX systems; youmust order this productthrough normal IBMordering channels.


|||||

|||||||||||

||

|||

|||

|

||||||||||

|||

|

|||||

|

||||

|||

|

|||||

|

||||||

|||||

|

3.P

lann

ing

for

Tivoli

PK

I


Server HardwareRequirements

One of the followingplatforms:

¶ AIX: IBM RISCSystem/6000

¶ Windows NT: IBMNetfinity® Server

¶ 4GB disk space¶ 256MB memory¶ One 233MHz

processor (AIX), or¶ One 300MHz Intel

Pentium processor(Windows NT)


|||||

||||

||

||

||

|||||||

||


Setup WizardRequirements

¶ Intel Pentiumprocessor with atleast 64MB of RAM

¶ A computer displaythat supports1024x768 or higherresolutions at 65536colors

One of the followingoperating systems:¶ Microsoft Windows

95¶ Microsoft Windows


NT

A Web browser thatsupports JDK 1.1–basedapplets, such as thefollowing:¶ Netscape Navigator

or NetscapeCommunicator,version 4.7x onlyfor Windowsplatforms

¶ Microsoft InternetExplorer, version 5.0or later.

You must install theofficial version of thebrowser as distributedby Netscape orMicrosoft. Versionsobtained fromthird-party vendors maynot display informationcorrectly, especiallywhen running an appletin a language other thanEnglish.


|||||

||||||||||

||

||||||||

||

|||||||||||||

||||||||||||

|

3.P

lann

ing

for

Tivoli

PK

I


RA DesktopRequirements

¶ Intel Pentiumprocessor with atleast 64MB of RAM





NT

One of the followingWeb browsers:¶ Netscape Navigator

or Communicator,release 4.7x only

¶ Microsoft InternetExplorer, release 5.0or later

You must install theofficial version of theproduct, distributed byNetscape or Microsoft.

With Internet Explorer,you must have JavaVirtual Machine (JVM),release 5.00, build 3167or later.


|||||

||||||||||

||

||||||||

||

||||||||

||||

|||||

|


Client Requirements ¶ Intel Pentiumprocessor with atleast 64MB of RAM

In addition,





NT

A Web browser such asthe following:¶ Netscape Navigator

or NetscapeCommunicator,version 4.7 or laterfor Windowsplatforms

¶ Microsoft InternetExplorer, version 5.0or later

You must install theofficial version of theproduct, distributed byNetscape or Microsoft.


|||||

||||

|

|||||

||

||||||||

||

|||||||||||

||||

|

|

3.P

lann

ing

for

Tivoli

PK

I

Securing the SystemTivoli PKI uses encryption, digital signatures, and digital certificatesto protect transactions and to protect your resources fromunauthorized intrusion. However, the security of the Tivoli PKIserver itself is dependent on the security of its underlying operationalenvironment.

This section provides suggestions for securing the physicalenvironment of your system to minimize penetration by unauthorizedusers before you begin to install the Tivoli PKI software.

The following are some security items for you to consider:

Isolated AreaSet up the server in an isolated room that is dedicated toCertificate Authority (CA) activity. If possible, the roomshould have reinforced walls, a single solid-core wood orsteel door, and a solidly-constructed ceiling with no droppanels. The room should also have a raised floor to protectagainst discharges in the event of a fire.

Maintained AreaThe room should provide an uninterruptible power supply(UPS) for the computers, light fixtures, motion detectors, andheating and cooling systems. Monitor the room’s temperaturecontrols to ensure that cool air flow is sufficient to offset theheat that is generated by the equipment.

Controlled AccessYou can restrict access to the physical area in a number ofways, for example, by using badges or keypad-controlleddoor locks. To prevent malicious tampering by a singleindividual, you should install controls that require thepresentation of proper credentials by at least two trustedemployees.

You should also monitor the room to keep track each timethe secure area is accessed, and by whom. For maximumsecurity, install motion detectors both inside and outside thedoor.


|

Controlled CommunicationsThere should be no spare open ports on the Tivoli PKIserver. You should configure the system so that it listens forrequests only on those ports that are explicitly assigned toactive Tivoli PKI applications.

Using Firewall TechnologyIBM strongly recommends that you install a firewall, such as IBMFirewall, to protect the Tivoli PKI system from intrusion throughanother part of your network. A firewall allows you to secure thesystem in the following ways:

¶ Control which applications are able to access your internalnetwork from the Internet

¶ Control which addresses on your internal network an authorizedapplication can access

¶ Prevent internal applications from accessing the external network(Internet)

¶ Authenticate the sources of all incoming requests and permit ordeny access accordingly

To enforce access restrictions, you should configure the Tivoli PKIservers behind the firewall. You should ensure that the firewall youinstall provides the following minimum functionality:

¶ A screening router to selectively block data packets according toyour policy preferences. For example, your firewall should allowyou to establish controls that restrict communications to specificIP addresses and ports.

¶ A proxy server to act as an intermediary between client/serverrequests. For example, your firewall should allow you tointercept FTP or HTTP requests from users before routing themto the appropriate server process. Doing so prevents the clientand server from communicating directly with each other.

¶ A perimeter network to provide an extra buffer that cansegregate and protect the internal network in the event that theexternal network is compromised.


3.P

lann

ing

for

Tivoli

PK

I

Keep in mind that you can install the Tivoli PKI server programs onmultiple machines, an arrangement that provides several advantages.For example, you can achieve performance improvements byspreading the work load across multiple processors, set up separatebackup schedules, and control access to different processes throughIP address mapping. To ensure the security of these programs,however, you must configure these servers behind the firewall. Youmust take the same precautions to protect them that you do toprotect the main server.

Working with Tivoli PKI DatabasesTivoli PKI uses IBM DB2 Universal Database software to managedata. The DB2 version included in the Tivoli PKI media package isintended for use by Tivoli PKI applications only. If you want tocustomize the database software, or use it for purposes other thanTivoli PKI, you must purchase a license for a complete version ofIBM DB2 Enterprise Edition.

If you plan to set up Tivoli PKI in a multiple-machine configuration,you must install the Tivoli PKI database software on each machinewhere you plan to install a Tivoli PKI server component.

As part of running a post-installation configuration program, TivoliPKI creates the cfgdb database for configuration data and populatesit with default configuration values.

During configuration, Tivoli PKI creates the following databases forCA data, registration data, audit data, and key backup and recoverydata. If you install Tivoli PKI on AIX, you must create diskpartitions for these databases before you start the installation process.See “Setting Up AIX Volume Groups and File Systems” on page 53for details.¶ ibmdb¶ pkrfdb¶ adtdb¶ krbdb


||||||||||

Unless it already exists, Tivoli PKI also creates the ldapdb databasefor the Directory:

If you install all the server components on the same machine, theconfiguration programs create the databases in the background. Ifyou install the CA, Audit, or Directory components on remotemachines, there are steps you must take during configuration toensure that the databases are properly instantiated. The Tivoli PKIConfiguration Guide discusses these remote configurationprocedures.

If you install Tivoli PKI on AIX, the configuration, CA, registration,audit, and key backup and recovery databases are created under aninstance named cfguser. Unless a database for the Directory waspreviously created, it is also created under the cfguser instance.

If you install Tivoli PKI on Windows NT, the instance name for theTivoli PKI databases matches the username under which you installthe product (the suggested value is cfguser, but your installation maybe different). Unless a database for the Directory was previouslycreated, it is created under an instance named ldapInst.

To support backup and recovery, Tivoli PKI enables audit loggingfor registration and certification events. See the Tivoli PKI SystemAdministration Guide for guidelines on how to archive the audit logsand how to back up and restore the system. For additionalinformation about how to back up and restore the databases, consultwith your local DB2 database administrator.

Configuring IP Aliases for the Web ServerThe Tivoli Public Key Infrastructure media package includes theWeb server software you need for Tivoli PKI: IBM WebSphereApplication Server, IBM HTTP Server, and the Sun JavaDevelopment Kit (JDK). After installing this software, you mightwant to configure particular ports for processing public and securerequests.


||||

3.P

lann

ing

for

Tivoli

PK

I

In a Tivoli PKI system, the Web server needs to support thefollowing kinds of requests:

¶ Non-Secure Sockets Layer (SSL), or public requests

¶ Secure SSL requests without client authentication

¶ Secure SSL requests with client authentication

In the default configuration, Tivoli PKI designates ports on the Webserver to handle each type of request. This enables you to use thesystem as installed without making special adjustments to yournetwork configuration.

The following table summarizes this architecture and the default portvalues:

Protocol SSLServer

AuthenticationClient

AuthenticationPort

Number

HTTP No No No 80

HTTPS Yes Yes No 443

HTTPS Yes Yes Yes 1443

In many secure systems, only ports 80 and 443 can be open throughthe firewall, and only port 443 can be used for an SSL connection. Ifthis is the case for your organization, you must configure the Webserver so that different types of requests can be processed throughthe same port. For example, you might want to configure the systemso that both of the secure servers listen for requests at port 443.

To provide multiple access points to the same machine through thesame port, you must define virtual host names and associate themwith IP addresses that are aliases of the machine’s real IP address.This concept, known as IP aliasing, allows you to run multipleindependent servers on a single machine.

Note: If you do not intend to use the default configuration valuesfor the Web server ports, you must configure the IP aliases


before you run the Tivoli PKI configuration applet. Theconfiguration programs rely on these values when creating theCA certificate for your system.

You set up IP aliases in your TCP/IP Domain Name Services (DNS).For Tivoli PKI, do the following to configure two aliases:

¶ Configure DNS and specify the machine’s host name and IPaddress. Use this entry for the public server that listens fornon-SSL requests at port 80.

¶ Add an alias (virtual) host name and an alias IP address. Usethis entry for the secure Web server that listens for SSL,non-client-authenticated requests at port 443.

¶ Add a second alias host name and a second alias IP address. Usethis entry for the secure Web server that listens for SSL,client-authenticated requests at port 443.

Note that these alias host names and IP addresses must be uniqueand they must map to the same physical machine.

For information about configuring virtual host names and IP aliases,consult the documentation provided with your DNS product. You canalso review documentation available for the IBM HTTP Server. Forexample, access the User Assistance information available at thefollowing IBM HTTP Server Web site:http://www.ibm.com/software/webservers/httpservers/library.html

Working with the DirectoryThe Tivoli Public Key Infrastructure media package includes thesoftware you need for installing the IBM Directory. You can installthe software provided with Tivoli PKI and set it up specifically foruse with Tivoli PKI, or you can use Tivoli PKI with an existing IBMDirectory. When you install the Tivoli PKI server software, theinstallation programs update the Directory with information that isrequired by the Tivoli PKI components.

During configuration, Tivoli PKI creates entries that it needs in orderto bind to the Directory and publish information. For example, the


3.P

lann

ing

for

Tivoli

PK

I

configuration program creates an entry for the Tivoli PKI CA andassigns the appropriate Directory access permissions.

If you install all the server components on the same machine, theconfiguration programs update the Directory in the background. Ifyou install the Directory on a remote machine, there are steps youmust take during configuration to ensure that it is properlyconfigured. The Tivoli PKI Configuration Guide discusses thisprocedure.

Directory SchemaEach entry in the Directory represents a single object, such as aperson, organization, or device, that is identified by a unique andunambiguous distinguished name (DN). The Directory schemadefines the rules for DNs, such as how to declare them and the typesof information that can or must be included in a DN.

The DN contains a set of attributes that helps to uniquely identifythe object and delineate the object’s privileges. For example,attributes might identify where the object is located, the organizationwith which that object is affiliated, and the name by which theobject is known.

To help you define the Directory entries that Tivoli PKI needs, theconfiguration applet provides a graphical user interface (GUI). TheDistinguished Name Editor allows you to specify DN attributeswithout having to be aware of Directory schema requirements.

Directory Access ControlsAll Directory entries are logically organized into a hierarchicalstructure that is called the Directory Information Tree (DIT). Thistree has a single root and an unlimited number of cascading nodes.Each node corresponds to a Directory entry that is identified by adistinguishing attribute.

The Directory allows access control privileges to be set for anindividual entry or for an entry and its entire subtree. When youconfigure Tivoli PKI, it automatically applies the appropriateprivileges for each Tivoli PKI DN entry. To summarize:


¶ The CA must be able to access all entries at or below its DNentry point in the Directory hierarchy. Objects at or below theCA’s base level are members of the CA’s administrative domain.They represent the entities that are authorized to receive a publickey and certificate certified by the CA.

¶ Because the Tivoli PKI CA does not directly bind to theDirectory, it uses an agent called the Directory administrator.The Directory administrator carries out requests between the CA,RA, and Directory. It is authorized to update all entries in theCA’s subtree in the Directory. This includes the ability to add,delete, change, read, search, and compare Directory entries.

¶ Each Tivoli PKI system defines a Directory root DN. The rootDN is a configured entity that does not actually exist in theDirectory tree. As the root administrator, it has the authority toupdate all nodes in the Directory, not just those in a particularCA’s subtree.

Attributes in the root DN describe the protocols and controlssupported by the Directory. This enables clients such as TivoliPKI to determine basic information about the server and theDirectory tree. It also enables Tivoli PKI to bind to the Directoryto make changes to it.

Working with the 4758 CoprocessorAlthough this product is optional, you are encouraged to use theIBM 4758 PCI Cryptographic Coprocessor to help maximize thesecurity of CA and RA signing keys. Doing so can help minimizeyour exposure to harm from abusive system administrators or systeminfiltrators.

Note: Support for the 4758 coprocessor is provided only in the AIXversion of Tivoli PKI.

The 4758 coprocessor uses the IBM Common CryptographicArchitecture API to provide strong cryptographic services. Allcryptographic processing occurs within the secure boundaries of thephysical cryptographic card.


|||||

3.P

lann

ing

for

Tivoli

PK

I

During installation, the 4758 configuration program generates amaster key and stores it in hardware. In a Tivoli PKI system, thecoprocessor uses this master key, and an RSA algorithm, totriple-encrypt the CA’s or RA’s signing key. This step provides anextra layer of security against attempts to compromise or otherwisedecipher the CA’s or RA’s signature.

In addition to its cryptographic intelligence, the 4758 coprocessorcan detect attempts to tamper with the hardware or master key,irregularities in voltage and temperature, and excess radiation. Ondetection, the keys required to access data that is secured in themodule are destroyed.

Note: For information about installing, configuring, and cloning the4758 coprocessor, refer to the IBM 4758 productdocumentation.

Storing the CA or RA Keys in HardwareIf you decide to use the 4758 coprocessor, you must install it on themachine where you installed the Tivoli PKI CA server or Tivoli PKIRA server before configuring the Tivoli PKI system. Whenconfiguring the CA or RA, you specify whether or not it should usethe coprocessor to store its signing key.

In most Tivoli PKI systems, the CA or RA key is not physicallystored with the master key. However, a configuration option enablesyou to override this default, an action that IBM discourages. If the4758 coprocessor hardware fails, you must be prepared to takeimmediate corrective action.

If you choose to store the CA or RA key in hardware, you shouldprepare a disaster recovery plan. You need to understand the risksand corrective actions associated with this decision:

¶ When the 4758 coprocessor is backed up, only its master key isbacked up, not any other keys stored on the hardware card.Therefore, if the card is damaged, or some other hardwarefailure occurs, you will lose the CA or RA signing key.


||||||

|||||

|||||

||||

http://www.ibm.com/security/cryptocards/


¶ If the CA or RA key is lost or compromised, you must take theCA or RA down and bring it up with a new key. While the CAor RA is unavailable, users whose certificates are signed by theCA or RA cannot use them because there is no means to validatethem.

¶ Because the certificates that were signed with the CA’s or RA’soriginal key are no longer valid, you must issue new certificatessigned with the new CA or RA key after you re-establish the CAor RA.

Refer to the Tivoli PKI System Administration Guide for a furtherdiscussion on the 4758 coprocessor.

Integration with Policy DirectorTivoli Policy Director provides end-to-end security for resources thatspan geographically-dispersed intranets and extranets. It includesextensive support for authentication, authorization, data security, andresource management. By integrating Policy Director with TivoliPKI, you can create a secure and certificate-protected environmentfor your e-business activities.

Policy Director provides a single point of control for Webenvironments. When a user attempts to access a secure site, PolicyDirector can require a single sign-on for each Web user, authenticatethe user’s identity, and verify the user’s authority to access aprotected area. As part of this validation process, Policy Director canbe configured to evaluate Tivoli PKI certificates.

For example, you can configure Policy Director to accept only thosecertificates that have been signed by a trusted CA, one that is knownto Policy Director. By providing Policy Director with a Tivoli PKICA certificate, you can easily establish a barrier betweenunauthorized users and the resources you need to protect.

For information about using Tivoli PKI certificates in a PolicyDirector environment, see the IBM Redbook, Tivoli SecureWayPolicy Director Centrally Managing e-business Security,SG24-6008–00.


|||||

||||

||||

3.P

lann

ing

for

Tivoli

PK

I

Tivoli PKI can be customized to further integrate with PolicyDirector, through the use of Business Process Objects (BPOs). Forexample, you can write a BPO can to create a Policy Director userID once a certificate request is approved. In this way, the certificateis bound to the Policy Director ePerson object created in LDAP.Supplying a BPO that performs this function has the added benefitof providing a Web-based enrollment mechanism for Policy Directoras well.

Refer to the IBM Redbook, Working with Business Process Objectsfor Tivoli SecureWay PKI, SG24-6043-00 for guidance on developingand customizing BPOs to suit your own unique businessrequirements.

Supported Server ConfigurationsYou can install all the Tivoli PKI server components on a singlemachine or distribute the processing among multiple machines. Thefollowing constraints, however, must be satisfied:

¶ The Web server, WebSphere, and the main Tivoli PKI server,which includes the RA server and the databases that holdconfiguration and registration data, must co-exist on the samemachine.

¶ The CA server and Audit server, and their databases mustco-exist on the same machine.

¶ The Directory server and its database must co-exist on the samemachine.

How you configure your server network depends on yourorganization’s anticipated workload and whether you use a particularmachine for multiple purposes. For example, if you previouslyinstalled the Directory and use it with other applications, you mightwant to keep that server isolated from the other Tivoli PKIcomponents.

The following configurations summarize the ways that you candistribute the server components:


||||||||

|||

||||

||

||

¶ The main Tivoli PKI server, the CA and Audit servers, and theDirectory server on one machine.

¶ The main Tivoli PKI server, the CA and Audit servers, and theDirectory server on three separate machines.

¶ The main Tivoli PKI server on one machine, with the CA andAudit servers and the Directory server on a second machine.

¶ The main Tivoli PKI server and CA and Audit servers on onemachine, with the Directory server on a second machine.

¶ The main Tivoli PKI server and Directory server on onemachine, with the CA and Audit servers on a second machine.

International Environment ConsiderationsThe Tivoli PKI components have been enabled for deployment in aninternational environment:

¶ Message files and graphical user interfaces (GUIs) are translatedand provide national language support in the followinglanguages: English, French, German, Italian, Spanish, BrazilianPortuguese, Japanese, Korean, Simplified Chinese, andTraditional Chinese.

¶ All textual input fields support Unicode through UTF-8encoding.

¶ All distinguished names support Unicode through UTF-8encoding.

In Tivoli PKI, all directory paths in the configuration files areavailable in English only and must be specified in ASCII format.

Because of government export regulations, the Tivoli PKI product isdistributed in separate encryption editions. The edition available todomestic customers (U.S., U.S. subsidiaries, and Canada) includes astronger encryption algorithm than the edition that is made availableto international customers. The cryptographic algorithms arepredetermined in the product code and cannot be altered when youinstall, configure, or use the product.


||

3.P

lann

ing

for

Tivoli

PK

I

Tivoli PKI Media PackageSoftware for the Tivoli PKI product is distributed in a mediapackage that contains the following CDs:

¶ IBM WebSphere Application Server for AIX Standard EditionV3.5 Application Server and IBM HTTP Server CD

This CD contains the Web server software that is required forTivoli PKI. It includes the WebSphere Application Server andthe IBM HTTP Server.

¶ IBM WebSphere Application Server for AIX Standard EditionV3.5 IBM Directory

This CD contains the database and Directory software that isrequired for Tivoli PKI.

¶ Tivoli Public Key Infrastructure for AIX V 3.7.1, CD 1

This CD contains the database software that is required forTivoli PKI and includes the following:

v The Tivoli PKI Registration Authority, Certificate Authority,and Audit server programs; Directory-related software; andprograms for installing, configuring, and administering theproduct.

v An installation image for the Tivoli PKI RegistrationAuthority Desktop applet.

Platform-specific CDs are provided for AIX.

¶ Tivoli Public Key Infrastructure for AIX V 3.7.1, CD 2

This CD contain software required for Tivoli PKI and programfixes.

¶ Tivoli Public Key Infrastructure Up and Running

¶ Tivoli Public Key Infrastructure Release Notes


|

||

||||

||

|

|

||

|

Installing Tivoli PKI on AIX

This chapter provides procedures for installing Tivoli Public KeyInfrastructure (PKI) and its prerequisite products on an AIXplatform.

Before you begin installing software for Tivoli PKI, be sure to readthe latest version of the product Release Notes. To obtain the mostcurrent version of the Release Notes, access the Tivoli Public KeyInfrastructure Web site:http://www.tivoli.com/support

Install software for Tivoli PKI in the following order:

1. AIX operating system version 4.3.3

2. AIX operating system Maintenance Level 6 (followed by areboot of the machine)

3. IBM DB2 Universal Database version 6.1 Fix Pack 4

4. IBM Directory Server version 3.1.1.5

5. IBM Developer Kit for AIX, Java Technology Edition, version1.2.2 Program Temporary Fix 8

6. IBM WebSphere Application Server Standard Edition version3.5

7. Upgrade IBM WebSphere Application Server Standard Editionversion 3.5 Program Temporary Fix 4

8. Disable automatic startup of IBM HTTP Server

4


|

|

|

4.In

stalling

Tivoli

PK

Io

nA

IX



9. Start the WebSphere Application Server

10. IBM KeyWorks version 1.1.3.1

11. Tivoli PKI server software

Setting Up AIXUse the following guidelines when installing AIX software on themachine or machines where you plan to install Tivoli PKI software.If you previously installed AIX, use these guidelines as a checklist tomake sure that you installed all the files that are required by theTivoli PKI components.

If you are setting up Tivoli PKI in a multiple machine configuration,you must install AIX on each machine where you plan to install aTivoli PKI server component.

To begin the installation process, do the following:

1. Perform a New and Complete installation, not a Preservationinstallation.

Note: Do not install any fix levels at this time. You do this laterin the installation process.

2. Make sure that the machine’s language locale is set to thelanguage in which you plan to run Tivoli PKI applications.

3. Tivoli PKI supports the AIX Trusted Computing Base (TCB). Ifyou want to use this feature, which further extends the securityof your operating system, select this option to enable it wheninstalling AIX.

4. When configuring TCP/IP, enter the system short name as theHOSTNAME. For example, enter hostname instead of“hostname.mycompany.com”. Do the following after installingAIX to verify you have specified the name correctly:

a. Type smitty.

b. Select Communications Applications and Services.

c. Select TCP/IP.


|

|

||||

|

|

|

d. Select Minimum Configuration and Startup.

e. Select the appropriate network interface from the AvailableNetwork Interfaces list. For example, select en0 StandardEthernet Network Interface.

f. Verify the HOSTNAME value is in the correct form.

Verifying FilesetsAfter installing AIX and restarting the system, confirm that thefollowing filesets were installed:

bos.adt.base 4.3.3.0 COMMITTED Base Application Developmentbos.adt.debug 4.3.3.0 COMMITTED Base Application Developmentbos.adt.graphics 4.3.3.0 COMMITTED Base Application Developmentbos.adt.include 4.3.3.0 COMMITTED Base Application Developmentbos.adt.lib 4.3.3.0 COMMITTED Base Application Developmentbos.adt.libm 4.3.3.0 COMMITTED Base Application Developmentbos.adt.prof 4.3.3.0 COMMITTED Base Profiling Supportbos.adt.prt_tools 4.3.3.0 COMMITTED Printer Support Developmentbos.adt.samples 4.3.3.0 COMMITTED Base Operating System Samplesbos.adt.sccs 4.3.3.0 COMMITTED SCCS Application Developmentbos.adt.syscalls 4.3.3.0 COMMITTED System Calls Applicationbos.adt.utils 4.3.3.0 COMMITTED Base Application Developmentbos.adt.data 4.3.0.0 COMMITTED Base Application DevelopmentX11.adt.bitmaps 4.3.0.0 COMMITTED AIXwindows ApplicationX11.adt.ext 4.3.3.0 COMMITTED AIXwindows ApplicationX11.adt.imake 4.3.3.0 COMMITTED AIXwindows ApplicationX11.adt.include 4.3.3.0 COMMITTED AIXwindows ApplicationX11.adt.lib 4.3.3.0 COMMITTED AIXwindows ApplicationX11.adt.motif 4.3.3.0 COMMITTED AIXwindows ApplicationX11.apps.aixterm 4.3.3.0 COMMITTED AIXwindows aixterm ApplicationX11.apps.clients 4.3.3.0 COMMITTED AIXwindows Client ApplicationsX11.apps.config 4.3.3.0 COMMITTED AIXwindows ConfigurationX11.apps.custom 4.3.3.0 COMMITTED AIXwindows Customizing ToolX11.apps.msmit 4.3.3.0 COMMITTED AIXwindows msmit ApplicationX11.apps.rte 4.3.3.0 COMMITTED AIXwindows RuntimeX11.apps.util 4.3.3.0 COMMITTED AIXwindows UtilityX11.apps.xterm 4.3.3.0 COMMITTED AIXwindows xterm ApplicationX11.base.common 4.3.3.0 COMMITTED AIXwindows Runtime CommonX11.base.lib 4.3.3.0 COMMITTED AIXwindows Runtime LibrariesX11.base.rte 4.3.3.0 COMMITTED AIXwindows Runtime EnvironmentX11.base.smt 4.3.3.0 COMMITTED AIXwindows Runtime SharedX11.compat.lib.X11R5 4.3.3.0 COMMITTED AIXwindows X11R5 CompatibilityX11.fnt.coreX 4.3.0.0 COMMITTED AIXwindows X Consortium FontsX11.fnt.defaultFonts 4.3.2.0 COMMITTED AIXwindows Default FontsX11.fnt.iso1 4.3.3.0 COMMITTED AIXwindows Latin 1 FontsX11.motif.lib 4.3.3.0 COMMITTED AIXwindows Motif LibrariesX11.motif.mwm 4.3.3.0 COMMITTED AIXwindows Motif Window


|

|||

|

|||||||||||||||||||||||||||||||||||||

4.In

stalling

Tivoli

PK

Io

nA

IX

ifor_ls.base.cli 4.3.3.0 COMMITTED License Use Management Runtimeifor_ls.client.base 4.3.3.0 COMMITTED License Use Management Clientifor_ls.client.gui 4.3.3.0 COMMITTED License Use Management Clientifor_ls.msg.en_US.base.cliifor_ls.base.cli 4.3.3.0 COMMITTED License Use Management Runtimeifor_ls.client.base 4.3.3.0 COMMITTED License Use Management ClientxlC.cpp 4.3.0.1 COMMITTED C for AIX PreprocessorJava.rte.bin 1.1.8.0 COMMITTED Java Runtime EnvironmentJava.rte.classes 1.1.8.0 COMMITTED Java Runtime EnvironmentJava.rte.lib 1.1.8.0 COMMITTED Java Runtime Environment

If all of these filesets are not installed, install them beforeproceeding with the installation.

Verifying Adequate Paging SpacesThere must be at least 768MB of paging space. Complete thefollowing steps to verify that there is adequate paging space:

1. Type smitty.

2. Select System Storage Management (Physical & LogicalStorage).

3. Select Logical Volume Manager.

4. Select Paging Space.

5. Select List All Paging Spaces.

6. If the total size is not 768MB or more, do the following:

a. Press F3 or Cancel.

b. Select Change/Show Characteristics of a Paging Space.

c. Select the paging space name you want to increase.

d. Add the number of additional logical partitions needed toincrease paging space to 768MB.

Applying the Fix Level to AIXAfter you have verified the filesets for AIX, install fix level ML4330–06. Obtain the AIX fix level ML 4330–06 patch and install itaccording to the accompanying documentation. You must restart themachine after applying ML 4330-06.


||||||||||

|

||

|

||

|

|

|

|

|

|

|

||

|

||||

Setting Up AIX Volume Groups and File SystemsUsing the AIX System Management Interface Tool (SMIT), set upthe following file systems. This suggested configuration is based onusing two disk drives with 4.5GB of usable space for the rootvg anddatavg volume groups.

Note: This discussion assumes that all the server components arebeing installed on the same machine. If you install theCertificate Authority and Audit subsystem on a machine thatis separate from the Registration Authority server, adjust theprocedure accordingly.

¶ For the rootvg partition:

v Set the root (/) partition to 64MB (128,000 512-byte blocks).

v Set the /usr partition to 3GB (6,000,000 512-byte blocks).

v Set the /tmp partition to 200MB (400,000 512-byte blocks).

v Set the /var partition to 500MB (1,000,000 512-byte blocks).

v Set the /home partition to 200MB (400,000 512-byte blocks).

¶ For the datavg partition:

v Set the /local partition to 2GB (4,000,000 512-byte blocks).

v Create a /dbfsibm partition and set it to 500MB (1,000,000512-byte blocks).

This is the default file system for the Tivoli PKI CA. Notethat the size may need to be adjusted in accordance with thenumber of certificates that are issued.

v Create a /dbfspkrf partition and set it to 300MB (600,000512-byte blocks).

This is the default file system for the registration facility.Note that the size might need to be adjusted in accordancewith the number of users who register for certificates.

v Create a /dbfsadt partition and set it to 300MB (600,000512-byte blocks).


||||

|||||

|

4.In

stalling

Tivoli

PK

Io

nA

IX

This is the default file system for the Audit subsystem. Notethat the size might need to be adjusted in accordance with thenumber of audit events that are logged.

v Create a /dbfskrb partition and set it to 300MB (600,000512-byte blocks).

This is the default file system for the key back up andrecovery facility. Note that the size might need to be adjustedin accordance with the number of key back up requests thatare issued.

Creating a CD-ROM File SystemTo install Tivoli PKI and its prerequisite products, you must have aCD-ROM file system mounted as /cdrom. If necessary, use thefollowing command to create a definition for this file system:crfs -v cdrfs -d /dev/cd0 -m /cdrom -p ro -A no

Alternatively, you can use SMIT to create the file system:smitty crcdrfs

Changing the Number of AIX System UsersEnter the following command to change the number of AIX systemusers. You must restart the system for this command to take effect.chlicense -u 100

Ensuring Host Name ResolutionDo the following to set up AIX so that your local server cancorrectly resolve host names:

1. Create a file in the /etc directory named netsvc.conf that containsonly the following line (note that there are no spaces in thisstatement):hosts=local,bind4

Create this file by using a text editor such as vi, or by enteringthe following command:echo hosts=local,bind4 > netsvc.conf

2. Edit the /etc/hosts file and ensure this file references the serveryou are setting up. For example:


127.0.0.1 loopback localhost192.40.168.20 taserver.company.com taserver

The second line in the preceding example identifies the IPaddress, fully-qualified host name, and short host name of theAIX server you are setting up.

3. Create or modify the /etc/resolv.conf file to include only thefollowing lines:domain company.comnameserver 10.10.10.90

The first line in the preceding example identifies the domainname of the server you are setting up. The second line identifiesthe IP address of the DNS name server.

Creating a System ImageAlthough not required, you should back up your AIX systemconfiguration before proceeding with the installation of Tivoli PKI.Having a backup image enables you to restore the system in theevent that problems occur.

To create a system image, enter the following commands as root andselect your preferred options:smitty mksysbsmitty savevg

Installing the Database SoftwareTivoli PKI uses IBM DB2 Universal Database software to managedata. The IBM DB2 Universal Database software is provided withthe IBM WebSphere Application Server Standard Edition version3.5.0. The IBM DB2 Universal Database software provided withIBM WebSphere Application Server is intended for use by TivoliPKI applications only. If you want to customize the databasesoftware, or use it for purposes other than Tivoli PKI, you mustpurchase a license for a complete version of IBM DB2 EnterpriseEdition, version 6.1.

The following sections provide procedures for installing the databasesoftware. If you are setting up Tivoli PKI in a multiple machine


||

4.In

stalling

Tivoli

PK

Io

nA

IX

configuration, you must install the database software on eachmachine where you plan to install a Tivoli PKI server component.Note the following guidelines:

¶ During configuration, Tivoli PKI automatically creates thedatabases that are required by the server programs. Unless aDirectory database already exists, Tivoli PKI creates a databasefor the Directory.

¶ Before installing Tivoli PKI, you must ensure that the requiredversion of database software is installed on each machine whereyou plan to install a Tivoli PKI server component. You mustensure that the database system is functioning correctly on itsown before you install Tivoli PKI.

Installing DB2Use the following procedure to install the base database software.

1. Log in as root.

2. Place the IBM WebSphere Application Server for AIX CD in theCD-ROM drive. Enter the following command to mount theCD:mount /cdrom

3. Enter the following command to change to the /Db2 directoryon the CD:cd /cdrom/Db2

4. Enter the following command to run the database installationscript:./db2setup

During installation, the database installation script checks to seewhether a previous version of DB2 exists on the system andwhether the machine has adequate disk space. If there is notenough space, the /usr file system is increased to 400 MB freespace.

5. Select DB2 UDB Enterprise Edition.

6. Select DB2 Product Messages.


|||

||||

|||||

||

|

|

|||||

7. Select the appropriate language for your area and then selectOK.

8. Select DB2 Product Library.

9. Select the appropriate language for your area and then selectOK.

10. Select OK.

11. At Create DB2 Services, select Create a DB2 Instance.

12. Press Enter.

13. Set User Name to db2inst1 and Home Directory to/home/db2inst1. Leave all other values set to their default.

14. Enter values for Password and Verify Password.

15. Select Properties.

16. Press Enter.

17. For the Authentication Type, select Client.

18. Select OK.

19. Select OK.

20. For Authentication, enter Password and Verify Passwordvalues for the db2fenc1 user name.

21. Select OK.

22. Select OK.

23. Select OK.

Note: Ignore the warning message.

24. Select Continue.

25. Select OK.

The DB2 installation begins at this point.

26. Select OK.

27. Select OK to exit or view log.

28. Select Close.


|

|

|

4.In

stalling

Tivoli

PK

Io

nA

IX

29. Select OK.

30. Select OK.

This portion of the installation is complete at this point.

31. Enter the following command to unmount the Tivoli PKI media:umount /cdrom

32. Enter the following command to change directories:cd /usr/lpp/db2_06_01/cfg

33. Enter the following command to set the environment variables:./db2ln

34. Continue with the installation by referring to the section,“Installing IBM® Directory” on page 58.

Installing IBM® DirectoryTivoli PKI uses the IBM Directory to store and maintain informationabout certificates issued through the registration facility. Use theprocedures in the following sections to install and set up theDirectory software. You can install this software on a remotemachine or on the same machine where you plan to install a TivoliPKI server component.

Installing the Directory SoftwareAs root, do the following:

1. Place the Directory Server version 3.1.1.5 CD into the system’sCD-ROM drive. Enter the following command to mount theCD:mount /cdrom

2. Enter the following command to change directories:cd /cdrom/usr/sys/inst.images

3. Enter the following command:smitty install

4. Select Install and Update Software.

5. Select Install and Update from LATEST Available Software.


|

|

|||

|

|

|

|

|

|

|

6. Select . (period) for the INPUT device / directory for softwareoption.

7. At Install and Update from LATEST Available Software,press F4 to view a list of filesets available for installation.

8. Use F7 to select the ldap.client fileset for installation.

9. After the fileset is installed, at Install and Update fromLATEST Available Software, press F4 to view a list of filesetsavailable for installation.

10. Use F7 to select the following filesets for installation:¶ ldap.server¶ ldap.html.en_US

Note: You must select the appropriate languages filesets foryour installation.

11. Enter the following commands to unmount the Directory media.No process can access any portion of the /cdrom tree when youissue these commands:umount /cdrom

Note: In a multiple-machine configuration, each Tivoli PKI servermust have the Directory client software installed before yourun the Tivoli PKI configuration applet. To install thissoftware, you must install the ldap.client option from theDirectory Server CD on each machine except the one whereyou installed the Directory server software. The critical filethat must be installed on each machine is libldap.a.

Upon completion, the following files are installed:ldap.client.adt 3.1.1.5 COMMITTED SecureWay Directory Client SDKldap.client.rte 3.1.1.5 COMMITTED SecureWay Directory Clientldap.html.en_US.config 3.1.1.0 COMMITTED SecureWay Directoryldap.html.en_US.man 3.1.1.0 COMMITTED SecureWay Directory Man Pagesldap.msg.en_US 3.1.1.0 COMMITTED SecureWay Directory Messages -ldap.server.admin 3.1.1.5 COMMITTED SecureWay Directory Serverldap.server.com 3.1.1.5 COMMITTED SecureWay Directory Serverldap.server.rte 3.1.1.5 COMMITTED SecureWay Directory Server


||

||

|

|||

|||

||

|||

|

|||||||

|

||||||||

4.In

stalling

Tivoli

PK

Io

nA

IX

ldap.client.rte 3.1.1.5 COMMITTED SecureWay Directory Clientldap.server.admin 3.1.1.5 COMMITTED SecureWay Directory Serverldap.server.com 3.1.1.5 COMMITTED SecureWay Directory Server

Installing JavaTo install Java, do the following:

1. Place the Tivoli PKI for AIX CD into the system’s CD-ROMdrive. Enter the following command to mount the CD:mount /cdrom

2. Enter the following command to change the directories:cd /cdrom/aix/Java_1.2.2.ptf8

3. Enter the following command:smitty install




7. Press Enter.

8. Press Enter.

9. Press F10.

10. Enter the following commands to unmount the Tivoli PKImedia. No process can access any portion of the /cdrom treewhen you issue this command:umount /cdrom

Upon completion, the following files are installed:Java_dev2.adt.debug 1.2.2.9 COMMITTED Java Application DevelopmentJava_dev2.adt.includes 1.2.2.0 COMMITTED Java Application DevelopmentJava_dev2.adt.src 1.2.2.9 COMMITTED Java Classes Source CodeJava_dev2.rte.bin 1.2.2.9 COMMITTED Java Runtime EnvironmentJava_dev2.rte.lib 1.2.2.9 COMMITTED Java Runtime Environment


||||

|

|

||

|

|

|

|

|

|

|

||

|

|

|

|||

|

|

|||||

Creating the WebSphere Application Server DatabaseBefore you install WebSphere Application Server, you must create aDB2 database for it. To create a database, do the following:

1. Log in as root.

2. Enter the following command:su - db2inst1

3. Start the DB2 console using the following command:db2

4. Create and configure the database for WebSphere ApplicationServer by entering the following commands:create database was_dbupdate db cfg for was_db using applheapsz 256

5. Exit the DB2 console by entering quit.

6. Stop DB2 by entering db2stop.

7. Start DB2 by entering db2start.

8. Enter the following command exit.

Installing the Web Server SoftwareTivoli PKI uses the IBM WebSphere Application Server and IBMHTTP Server to support its Web-based functions. To ensure that theWeb server programs are installed correctly for use with Tivoli PKI,follow this procedure to install the software on an AIX platform. Youmust install the software on the machine where you plan to installthe Registration Authority component.

Note that even though WebSphere has an administrative interface formanaging servlets, it is neither possible nor necessary to use it tomanage Tivoli PKI servlets.

After you install Tivoli PKI, a post-installation program updates theWeb server with information that is required by Tivoli PKI. Whenyou start the Web server, it uses the configuration file that TivoliPKI created for this purpose.


|

|

4.In

stalling

Tivoli

PK

Io

nA

IX

Note: Be sure to review the discussion of how Tivoli PKIconfigures ports on the Web server in “Configuring IP Aliasesfor the Web Server” on page 39. If you want to configureports differently, you must do so before you configure TivoliPKI.

Installing WebSphere Application Server1. Log in as root.

2. Place the WebSphere Application Server for AIX CD in theCD-ROM drive. Enter the following command to mount the CD:mount /cdrom

3. If you are doing the install remotely, you must install WebSpherein a graphical X11 environment. Enter the following command toexport the proper DISPLAY environment variable for theWebSphere installation program to open, where yourhost:0.0 isthe proper value for your system:export DISPLAY=yourhost:0.0

4. Install WebSphere:

a. Enter the following command to change directories:cd /cdrom/aix

b. Enter the following command to run the install.sh script../install.sh

c. In the Welcome window, click Next.

d. In the Install Options window, select Custom installationand click Next.

e. In the first Choose Application Server Components window,select All Components and click Next.

f. In the second Choose Application Server Componentswindow, select IBM HTTP Server plug-in and click Next.

g. In the Database Options window, select DB2 from theDatabase Type drop-down list and fill in the following fieldsas listed:


|

||

|

|||||

|

|

|

|

|

|

|

||

||

||

|||

Database Name: was_dbDB Home: /home/db2inst1Database User ID: db2inst1Database Password: yourpasswordConfirm Password: yourpassword

Where yourpassword is the db2inst1 password entered whendb2setup was run.

h. In the Security Information window, enter the root passwordfor the system, confirm it, and click Next.

i. In the Select Destination Directory window, click Next.

j. In the Install Options Selected window, click Next.

k. In the next window, click OK to begin installing the product.

Note: This step takes several minutes to complete.

l. In the Setup Complete window, click Finish.

5. Enter the following commands to unmount the WebSpheremedia. No process can access any portion of the /cdrom treewhen you issue this command:cd /umount /cdrom

Upon completion, the following files are installed:IBMWebAS.base.IBMApache 3.5.0.0 COMMITTED IBMWebAS.base - IBMApacheIBMWebAS.base.ITJ.Info 1.0.0.0 COMMITTED IBMWebAS.base - ITJ InfoIBMWebAS.base.WASicon 3.5.0.0 COMMITTED IBMWebAS.base - WASiconIBMWebAS.base.admin 3.5.0.0 COMMITTED IBMWebAS.base - adminIBMWebAS.base.samples 3.5.0.0 COMMITTED IBMWebAS.base - samplesIBMWebAS.base.server 3.5.0.0 COMMITTED IBMWebAS.base - serverIBMWebAS.base.tivoli 3.5.0.0 COMMITTED IBMWebAS.base - tivoli

Upgrading WebSphere Application ServerTo upgrade the WebSphere Application Server to ProgramTemporary Fix (PTF) 4, do the following:


2. Enter the following command to change the directory:


|||||

||

||

|

|

|

|

|

|||

||

|

|

||

||

|

|

4.In

stalling

Tivoli

PK

Io

nA

IX

cd /cdrom/aix/WebSphere-Standard-ptf4

3. Copy all the WebSphere PTF4 files from the CD to a directoryon your system where you have write permission as root.

4. Enter the following command to run the install.sh script:./install.sh

5. When prompted, specify the WebSphere root directory. Normally,this directory is /usr/WebSphere/AppServer.

6. When prompted, answer ″y″ to the question ″Please enterwhether you want to install IHS WebServer PTF (y/n)″.

7. When prompted, specify your WebServer’s document root path.Normally, this directory is /usr/HTTPServer/htdocs/en_US. Reply″y″ to the confirmation.

Disabling IBM HTTP Server Automatic StartupTo disable the automatic startup feature of the IBM HTTP Serverservice, perform the following steps as root.

1. Enter the following command to change to the /etc directory:cd /etc

2. Edit the file inittab and delete the entry for ihshttpd. Save theinittab file after deleting the entry.

3. Stop the IBM HTTP Server service that WebSphere may havealready started. To do so, do the following:

a. Enter the following command to list the possible processes:ps -ef | grep http

b. Identify the process /usr/HTTPServer/bin/httpd.

c. Find the parent process ID (the second field from the left).

d. Stop the parent process by entering the kill command. Forexample,kill pid

where pid is the parent process ID.


|

||

|

|

||

||

|||

|

||

|

|

||

||

|

|

|

|

||

|

|

Starting WebSphere Application ServerBefore you install Tivoli PKI, you must start WebSphere ApplicationServer. Do the following to start the WebSphere Application Server:

1. Enter the following command to change directories:cd /usr/WebSphere/AppServer/bin

2. Enter the following command:./startupServer.sh &

3. Enter the following command to change directories:cd /usr/WebSphere/AppServer/logs

4. Enter the following command and watch the trace file:tail -f tracefile

When you see the message, A WebSphere AdministrationServer open for e-business, the WebSphere Application Serveris started.

Note: This step takes several minutes to complete.

5. Press Ctrl + C to exit the tail command.

Installing the 4758 CoprocessorYou must decide whether you want to use the IBM 4758cryptographic card to protect CA or RA signing keys. If so, youmust install the 4758 hardware and its cryptographic supportprogram on the server where you plan to install the CertificateAuthority or Registration Authority respectively. If the CA and RAreside on the same machine, the 4758 hardware can be shared.

For information about installing and setting up the 4758 coprocessor,refer to the 4758 product documentation.

Installing Tivoli PKIBefore you begin installing Tivoli PKI, read the latest version of theproduct Release Notes. To obtain the most current version of thisdocument, access the Tivoli PKI Web site.


||||||

||

4.In

stalling

Tivoli

PK

Io

nA

IX



Use the following guidelines to install the Tivoli PKI productcomponents:

¶ Install all the server programs on the same platform (in this caseAIX).

¶ If you previously installed IBM KeyWorks version 1.1.1, youmust either install Tivoli PKI on a different machine, or removethe KeyWorks software and any associated applications beforeyou start the Tivoli PKI installation program.

¶ If you are setting up Tivoli PKI in a multiple-machineconfiguration, you must repeat the installation procedures untilyou have installed the correct server components on the intendedmachines. Refer to “Multiple Machine Installation Guidelines”on page 69 for further information.

¶ When you install the RA Desktop applet, you first install aninstallation image. You must then distribute the image or make itavailable on your network so that users can run the installationprogram from a local machine running Windows. Forinstructions on how to install, configure, and uninstall theseprograms, see the Tivoli PKI RA Desktop Guide.

¶ If you did not restart the system after installing the prerequisitesoftware, do so now. You must ensure that environment variablesare correct before you install Tivoli PKI.

¶ Use PING or another network connectivity tool to verify thathost names and IP addresses are valid and known to yournetwork’s Domain Name Services (DNS) server.

Installing KeyWorksTo install IBM KeyWorks, complete the following steps:

1. Log in as root.


3. Enter the following command to change directories:cd /cdrom/kw


|||||

||||||

4. Enter the following command to install KeyWorks:smitty install_latest


6. At Install and Update from LATEST Available Software,press Enter.

7. If you are continuing to install Tivoli PKI, you can skip this step.Otherwise, enter the following command to unmount theCD-ROM drive.umount /cdrom

Upon completion, the following filesets are installed:sway.adt 1.1.3.1 COMMITTED IBM KeyWorkssway_vr.cst 1.1.3.1 COMMITTED Domestic (US) customization

Installing the Server SoftwareTo install the server software, do the following:

1. Log in as root.

2. Place Tivoli PKI for AIX in the CD-ROM drive. Enter thefollowing command to mount the CD:mount /cdrom

3. Enter the following command to change directories:cd /cdrom/usr/sys/inst.images

4. Enter the following command:smitty

5. Select Software Installation and Maintenance.




9. At SOFTWARE to install, press F4 to view a list of thefilesets available for installation.


|

|

|

|||

|

|

||

|

|

|

||

|

|

|

|

|

|

|

|

||

||

4.In

stalling

Tivoli

PK

Io

nA

IX

10. Using the following table as a guideline, select the componentor components you want to install on this machine, and pressEnter.

The ta.doc fileset contains HTML help files and Tivoli PKIdocumentation for the following:¶ Tivoli PKI Configuration Guide¶ Tivoli PKI Registration Authority Desktop Guide

The ta.srvr fileset contains the following:¶ 4758 Coprocessor Support¶ Certificate Authority¶ Core Files¶ Installation GUI¶ Installation Tools¶ Registration Authority

Note: Do not select 4758 Coprocessor Support if your machinedoes not contain 4758 hardware. Use F7 to selectivelyinstall the filesets you require.

File name Component Description

tpki.srvr.ra RegistrationAuthority server

Installs the Registration Authorityserver software, including all filesneeded for the registration facility.

tpki.srvr.ca CertificateAuthority andAudit server

Installs the Certificate Authority andAudit subsystem programs.

tpki.srvr.core Tivoli PKI Installs the main Tivoli PKI libraries.

tpki.srvr.ic InstallationTools

Installs the Tivoli PKI installationtools.

tpki.srvr.icg Installation GUI Installs the Tivoli PKI installationGUI.

RADInst.exe RegistrationAuthorityDesktop

Installs an installation image for theTivoli PKI RA Desktop applet.(Windows NT only)

11. At this point, the Tivoli PKI installation is complete. Enter thefollowing commands to unmount the CD-ROM drive:


|||

||||

|||||||

|||

||||

||||||

||||

||

|||

|||||

||||

||||

||||

||

cd /umount /cdrom

Upon completion, the following filesets are installed:tpki.srvr.ca 3.7.1.0 COMMITTED IBM Trust Authoritytpki.srvr.core 3.7.1.0 COMMITTED IBM Trust Authority

Core Filestpki.srvr.ic 3.7.1.0 COMMITTED IBM Trust Authoritytpki.srvr.icg 3.7.1.0 COMMITTED IBM Trust Authoritytpki.srvr.ra 3.7.1.0 COMMITTED IBM Trust Authoritytpki.doc.cfg 3.7.1.0 COMMITTED IBM Trust Authority

Configtpki.doc.rad 3.7.1.0 COMMITTED IBM Trust Authority

RA Desktoptpki.doc.usr 3.7.1.0 COMMITTED IBM Trust User Guide

Multiple Machine Installation GuidelinesThis section discusses guidelines for you to consider when installingTivoli PKI to run across a multiple-machine configuration. Theconfigurations discussed are the following:

¶ Scenario 1 — RA server on one machine; CA, Audit, andDirectory servers on a different machine

¶ Scenario 2 — RA and Directory servers on one machine; CAand Audit servers on a different machine

¶ Scenario 3 — RA, Audit, and CA servers on one machine;Directory server on a different machine

¶ Scenario 4 — RA server on one machine; CA and Audit serverson a different machine; Directory server on a third machine

Use the following installation guidelines as appropriate for yourTivoli PKI machine configuration.

Scenario 1 — RA server on one machine; CA, Audit, andDirectory servers on a different machine

The RA Server requires the following software installations:¶ AIX 4.3.3.0¶ AIX 4.3.3.0 Maintenance Level 6¶ IBM DB2 Universal Database version 6.1 FP 4¶ IBM Directory Client


||

|

|||||||||||

|

|||

||

||

||

||

||

||

|||||

4.In

stalling

Tivoli

PK

Io

nA

IX

¶ IBM Developer Kit for AIX, Java Technology Edition, version1.2.2 PTF 8

¶ IBM WebSphere Application Server Standard Edition version 3.5¶ Upgrade IBM WebSphere Application Server Standard Edition to

version 3.5 PTF 4¶ Disable IBM HTTP Server automatic startup¶ Start the WebSphere Application Server¶ IBM Key Works¶ Tivoli PKI filesets: tpki.srvr.core, tpki.srvr.ic, tpki.srvr.icg,

tpki.srvr.ra

The CA, Audit, Directory servers require the following softwareinstallations:¶ AIX 4.3.3.0¶ AIX 4.3.3.0 Maintenance Level 6¶ IBM DB2 Universal Database version 6.1 FP 4¶ IBM Directory Server version 3.1.1.5¶ IBM Developer Kit for AIX, Java Technology Edition, version

1.2.2 PTF 8¶ IBM Key Works¶ Tivoli PKI filesets: tpki.srvr.core, tpki.srvr.ic, tpki.srvr.ca

Scenario 2 — RA and Directory servers on one machine; CA andAudit servers on a different machine

The RA and Directory servers require the following softwareinstallations:¶ AIX 4.3.3.0¶ AIX 4.3.3.0 Maintenance Level 6¶ IBM DB2 Universal Database version 6.1 FP 4¶ IBM Directory Server version 3.1.1.5¶ IBM Developer Kit for AIX, Java Technology Edition, version

1.2.2 PTF 8¶ IBM WebSphere Application Server Standard Edition version 3.5¶ Upgrade IBM WebSphere Application Server Standard Edition to

version 3.5 PTF 4¶ Disable IBM HTTP Server automatic startup¶ Start the WebSphere Application Server¶ IBM Key Works


||||||||||

||||||||||

||

||||||||||||||

¶ Tivoli PKI filesets: tpki.srvr.core, tpki.srvr.ic, tpki.srvr.icg,tpki.srvr.ra

The CA and Audit servers require the following softwareinstallations:¶ AIX 4.3.3.0¶ AIX 4.3.3.0 Maintenance Level 6¶ IBM DB2 Universal Database version 6.1 FP 4¶ IBM Directory Client¶ IBM Developer Kit for AIX, Java Technology Edition, version

1.2.2 PTF 8¶ IBM Key Works¶ Tivoli PKI filesets: tpki.srvr.core, tpki.srvr.ic, tpki.srvr.ca

Scenario 3 — RA, Audit, and CA servers on one machine;Directory server on a different machine

The RA, Audit, and CA servers require the following softwareinstallations:¶ AIX 4.3.3.0¶ AIX 4.3.3.0 Maintenance Level 6¶ IBM DB2 Universal Database version 6.1 FP 4¶ IBM Directory Client¶ IBM Developer Kit for AIX, Java Technology Edition, version



tpki.srvr.ra, tpki.srvr.ca

The Directory server requires the following software installations:¶ AIX 4.3.3.0¶ AIX 4.3.3.0 Maintenance Level 6¶ IBM DB2 Universal Database version 6.1 FP 4¶ IBM Directory Server version 3.1.1.5


||

||||||||||

||

||||||||||||||||

|||||

4.In

stalling

Tivoli

PK

Io

nA

IX

¶ IBM Developer Kit for AIX, Java Technology Edition, version1.2.2 PTF 8

¶ IBM Key Works¶ Tivoli PKI filesets: tpki.srvr.core, tpki.srvr.ic

Scenario 4 — RA server on one machine; CA and Audit serverson a different machine; Directory server on a third machine

The RA server requires the following software installations:¶ AIX 4.3.3.0¶ AIX 4.3.3.0 Maintenance Level 6¶ IBM DB2 Universal Database version 6.1 FP 4¶ IBM Directory Client¶ IBM Developer Kit for AIX, Java Technology Edition, version



tpki.srvr.ra

The CA and Audit servers require the following softwareinstallations:¶ AIX 4.3.3.0¶ AIX 4.3.3.0 Maintenance Level 6¶ IBM DB2 Universal Database version 6.1 FP 4¶ IBM Directory Client¶ IBM Developer Kit for AIX, Java Technology Edition, version

1.2.2 PTF 8¶ IBM Key Works¶ Tivoli PKI filesets: tpki.srvr.core, tpki.srvr.ic, ta.srvr.ca

The Directory server requires the following software installations:¶ AIX 4.3.3.0¶ AIX 4.3.3.0 Maintenance Level 6¶ IBM DB2 Universal Database version 6.1 FP 4


||||

||

|||||||||||||||

||||||||||

||||

¶ IBM Directory Server version 3.1.1.5¶ IBM Developer Kit for AIX, Java Technology Edition, version

1.2.2 PTF 8¶ IBM Key Works¶ Tivoli PKI filesets: tpki.srvr.core, tpki.srvr.ic

Changing Bootstrap ValuesUse this procedure only if you want to change any of the defaultconfiguration values (values that you cannot change when runningthe configuration applet or after the system has been configured.)You must make all bootstrap changes before you run the Tivoli PKIpost-installation configuration program. If you do not want to changebootstrap values, continue with “Running the Post-installationConfiguration Program” on page 76.

Tivoli PKI runs a bootstrap program as part of the post-installationprocess. Input to the bootstrap program is an SQL script namedcreateconfig_start.sql that loads the configuration database withdefault values and creates database table definitions in theConfigDataTbl database table. This table contains the systemconfiguration data for all the Tivoli PKI components. Several valuesin this SQL script cannot be changed once the configuration processhas started.

Note: Under critical circumstances where a default value mightcause a problem in your operating environment, you can alsochange Tivoli PKI template files prior to configuration. Formore information, contact your IBM support representative.

To change a bootstrap value, edit the createconfig_start.sql file. Thedefault location for this file is /usr/lpp/iau/bin.

Use the following table as a guideline when making any changes:

¶ To change the value for DATABASE PATHNAME, you mustspecify the entire path to the new location. For example,/local/dbfsibm.

¶ The distinguished names (DNs) for the Tivoli PKI RA, Directoryadministrator, and Audit subsystem are transparent to the user. If


|||||

4.In

stalling

Tivoli

PK

Io

nA

IX

you want to change them, be sure to change only the commonname (CN) attribute. The CA DN base you specify duringconfiguration will be applied to the CN you select.

Field name Description Default value

WS_RO_KEYSIZE Web server keyringkey size. Options 0-3,as defined in theKeySize enumeration,are as follows:¶ 0 = 512¶ 1 = 768¶ 2 = 1024¶ 3 = 2048

0

DATABASE_PATHNAME

Fully-qualified path towhere the CAdatabase instancephysically resides (theCA component).

dbfsibm

DATABASE_PATHNAME

Fully-qualified path towhere the Auditdatabase instancephysically resides(Audit subsystemcomponent).

dbfsadt

DATABASE_PATHNAME

Fully-qualified path towhere the registrationdatabase instancephysically resides(RA component).

dbfspkrf

APP_DN The DN of the TivoliPKI RA. You canmodify the CN only.

/C=US/O=YourOrganization/OU=TivoliPKI/CN=Tivoli PKI RA

APP_CERT_LIFETIME

The lifetime of theRA certificates in thesystem, specified inmonths.

36

This value must be amultiple of 12.


||||


APP_LDAP _DIRADMIN_DN

The DN of theDirectoryadministrator. You canmodify the CN only.

/C=US/O=YourOrganization/OU=TivoliPKI/CN=DirAdmin

APP_COMM_PORT

The communicationport that handlescommunicationsbetween theregistration facilityframework and theTivoli PKI RA.

29783

APP_SEC_MECH The application’ssecurity mechanism.The default disablesthe RA’s databaseencryption. Settingthe value to 1 enablesdatabase encryption.

0

CA_IBM_CA_CERT_LIFETIME

The lifetime of theTivoli PKI CAcertificate, specifiedin months.

360

This value must be amultiple of 12.

CA_IBM_ADMIN_PORT

The administrativeport of the Tivoli PKICA. The value youspecify must also bespecified on thePORT entry in thefile,irgAutoCA.ini.tpl,which is located inthe cfg directory.

1835

ADT_DN The DN of the Auditsubsystem. You canmodify the CN only.

/C=US/O=YourOrganization/OU=TivoliPKI/CN=Tivoli PKI Audit


||

4.In

stalling

Tivoli

PK

Io

nA

IX

Running the Post-installation Configuration ProgramAfter you install the Tivoli PKI server software, you must run apost-installation configuration program, CfgPostInstall on the TivoliPKI main server containing the RA, WebSphere, and the HTTPServer. You must run this program before you run the Setup Wizardto configure Tivoli PKI.

This program creates a Web server configuration file (httpd.conf)that enables the Web server to be started with parameters required byTivoli PKI. It also prepares the Web server to run the configurationapplet, creates a Tivoli PKI configuration user account (cfguser),creates the configuration database, and populates the database withdefault configuration data.

To run the post-installation configuration program, do the following:

1. Log in as root by entering the following command:su - root

2. Enter the following command to change directories:cd /usr/lpp/iau/bin

3. Enter the following command:./CfgPostInstall -i

4. When prompted, set the password and confirm the password forthe cfguser account.

5. When prompted, set the password and confirm the password forthe Control Program.

6. Select db2inst1 as the name of the DB2 instance. Type the value1, which corresponds to db2inst1.

Note: This procedure takes several minutes to complete.

Post-installation ChecklistUse the following checklist to ensure that you are ready to configureTivoli PKI. For information about running the Setup Wizard, see theTivoli PKI Configuration Guide.


|

|

|

1. Log in as root, and enter the following commands to create abackup system image:smitty mksysbsmitty savevg

2. To aid in future problem resolution, create a list of all thesoftware that is installed on each server. Log in as root, and enterthe following command:#lslpp -al >tmp/sys_software.txt

3. If you do not intend to use the default configuration values forthe Web server ports, you must configure the IP aliases beforeyou run the Setup Wizard. The configuration programs rely onthese values when creating the CA certificate for your system.See “Configuring IP Aliases for the Web Server” on page 39 fora discussion of how Tivoli PKI configures and uses ports on theWeb server for secure and non-secure transactions.

4. Decide on the distinguished names you want to use for the TivoliPKI CA and its agents, the Directory administrator and theDirectory root. These DNs must be unique.

Review the guidelines in the Tivoli PKI Configuration Guide toensure that the DNs for these objects support your intendedcertification hierarchy.

5. Complete the Tivoli PKI Configuration Data Form located in theTivoli PKI Configuration Guide to become familiar withinformation you must have available before you configure thesystem. Use the form to record information about your system,such as your server host names and your preferred distinguishednames.

Running the Backup UtilityThe Tivoli PKI backup utility (ta-backup) is a tool for savingconfiguration data that is not stored in any of the DB2 databases.The ancillary file data such as file permissions are also saved. UseDB2 utilities for backing up DB2 databases.

The backup utility accepts one parameter that identifies the directorywhere backup data is to be written. This backup directory is the root


|||

||||||

4.In

stalling

Tivoli

PK

Io

nA

IX

directory to be used for saving all data files. To avoid name conflictswithin the backup directory, the backup utility saves files with thesame directory structure that exists on the system being saved.

The following example illustrates the program syntax:ta-backup -d backup_directory

where backup_directory is the directory to be used for data backup.The default path is /usr/lpp/iau/backup.

Follow these steps to run the ta-backup utility offline:

1. Log in as root.

2. Optionally create the backup directory for Tivoli PKIconfiguration data. For example:mkdir /usr/lpp/iau/my_tabackup

3. Change to the Tivoli PKI bin directory. The default path is/usr/lpp/iau/bin.

4. Enter the following command to specify where you want data tobe backed up:ta-backup -d /usr/lpp/iau/my_tabackup

5. Specify the Control Program password when prompted.


|

Installing Tivoli PKI on WindowsNT

This chapter provides procedures for installing Tivoli Public KeyInfrastructure (PKI) and its prerequisite products on a Windows NTplatform.

Note: Tivoli PKI version 3.7.1 does not support Windows NT. Thisinformation has been included as a reference only.

Before you begin installing software for Tivoli PKI, be sure to readthe latest version of the product Release Notes. To obtain the mostcurrent version of this document, access the Tivoli Public KeyInfrastructure Web site.

Note: The main procedures in this chapter assume that you areinstalling Tivoli PKI for the first time. Before installing TivoliPKI it is highly recommended that you back up the data filesbefore beginning. Refer to the instructions in “Running theBackup Utility” on page 97 for backup up your data files.After the backup, run CfgUnInstall from the command lineand then proceed with the Tivoli PKI installation.

Install the software for Tivoli PKI in the following order:

1. Microsoft Windows NT operating system version 4.0 withService Pack 5

5


5.In

stalling

Tivoli

PK

Io

nW

ind

ow

sN

T



2. Tivoli PKI database software (IBM DB2 Universal Database forTivoli PKI)

3. Sun Java Development Kit (JDK) version 1.1.6 or greater

4. IBM HTTP Server (IHS) version 1.3.3.1, including the GlobalServices Kit (GSK)

5. IBM WebSphere Application Server version 2.0.3.1

6. IBM Directory Server version 3.1.1

7. Tivoli PKI server software, which includes the core serverprograms and installation images for the Client application andRA Desktop

Multiple Machine ConfigurationIf you are not installing all the server software on the samemachine, you must repeat the procedures below to installWindows NT and the Tivoli PKI database software on eachcomponent machine.

Setting Up Windows NTUse the following guidelines when installing Windows NT softwareon the machine or machines where you plan to install Tivoli PKIsoftware. If you previously installed Windows NT, use theseguidelines as a checklist to ensure that you installed all the files thatare required by the Tivoli PKI components.

If you are setting up Tivoli PKI in a multiple machine configuration,you must install Windows NT on each machine where you plan toinstall a Tivoli PKI server component.

¶ When installing Windows NT, you must install the TCP/IPProtocol. You cannot use Dynamic Host Configuration Protocol(DHCP) unless you have a dynamic Domain Name Services(DNS) server.

¶ Use the following guidelines to enable connectivity:


v Ensure that IP addresses and host names are allocated andfixed.

v Ensure that you have IP connectivity. For example, test yourability to PING another machine.

v Ensure that DNS and reverse DNS are operating correctly.For example, ensure that the command ping hostnameresolves to the correct IP address and that the command ping-a IPaddress resolves to the correct host name.

¶ Ensure that the machine has a temp directory. If a temp directorydoes not exist, create one. To check for or to create the tempdirectory, enter the command md %temp%. If the directory exists,the system displays the message ″A subdirectory or filedrive:\TEMP already exists″. Otherwise, the system creates thetemp directory.

¶ Set the machine’s virtual memory to at least 400 MB:

1. Select Start → Settings → Control Panel.

2. Double-click System, and select the Performance tab.

3. In the Virtual Memory area, click Change.

4. Change the Initial Size value to 400 MB and MaximumSize to 500 MB.

5. Click Set.

6. Click OK to close the dialog box.

7. Click OK to close the System Properties window.

8. Click Yes to restart your computer.

¶ Create a Windows NT user that serves as the Tivoli PKIconfiguration user. The configuration programs use thisusername and password to create the required databases andconfigure the system. Use the Windows NT Administrative Toolsto set up this user as follows:

1. From the Administrative Tools program group, run UserManager.


5.In

stalling

Tivoli

PK

Io

nW

ind

ow

sN

T

2. Add the account cfguser by copying the Administratoraccount (highlight the Administrator entry and press F8). Theuser must have Windows NT Administrator privileges.

3. Type a password for cfguser, type the same password againto confirm it.

4. Deselect User Must Change Password At Next Logon.

5. Click OK.

The password assigned to this username must be exactlyeight characters long. To optimize security, you must specifya string that does not spell a real word. The password mustalso use a mix of uppercase and lowercase characters andinclude at least one number.

v Be sure to remember this username and password. You willneed to specify it when installing and configuring the system,and it may be needed to run certain Tivoli PKI systemadministration tools.

v If you plan to install Tivoli PKI in a multiple machineconfiguration, be sure to create the same username andpassword on each machine.

You should consider backing up your Windows NT system beforeproceeding with the installation of Tivoli PKI. Having a backupimage enables you to restore the system in the event that problemsoccur. You can use the Backup program provided by the WindowsNT Administrative Tools to create a system image. You can also useanother Windows-compliant backup program of your choice.

Installing the Database SoftwareTivoli PKI uses IBM DB2 Universal Database software to managedata. The software provided with Tivoli PKI is intended solely foruse by Tivoli PKI applications. If you want to customize thedatabase software, or use it for purposes other than Tivoli PKI, youmust purchase a license for a complete version of IBM DB2Enterprise Edition, version 5.2, and apply fix pack 10.


Use the following procedure to install the database software. If youare setting up Tivoli PKI in a multiple machine configuration, youmust install the Tivoli PKI database software on each machine whereyou plan to install a Tivoli PKI server component.

1. Place Tivoli Public Key Infrastructure for NT CD in a CD-ROMdrive.

2. Select Start → Run.

3. Click Browse to change to the CD-ROM drive.

4. Run setup.exe.

5. In the Choose Setup Language window, select a language forthis installation and click OK.

6. Review the information on the Welcome window and clickNext.

Note: If DB2 already exists on this machine and is at thecorrect level, the program advances to the SetupComplete window. At that point, click Finish tocomplete the installation.

7. In the Choose Destination Location window, click Next to usethe default installation path, or select the drive and destinationfolder where you want to install the software and then clickNext. (The default path, c:\Program Files\IBM\Trust Authority,is acceptable.)

8. In the Specify Database Administrator window, type aUsername and Password for the database administrator, re-typethe password to confirm it, and click Next. The suggested valueis db2admin for both entries.

9. The program begins installing the database software. Theprocess may take several minutes.

10. In the Setup Complete window, click Finish to complete theinstallation.


5.In

stalling

Tivoli

PK

Io

nW

ind

ow

sN

T

Installing the Web Server SoftwareTivoli PKI uses the IBM WebSphere Application Server and IBMHTTP Server to support its Web-based functions. To ensure that theWeb server programs are installed correctly for use with Tivoli PKI,follow the procedures in this section to install the software on aWindows NT platform. You must install the software on the machinewhere you plan to install the Registration Authority component.

Tivoli PKI includes an updated version of the WebSphereApplication Server on the Tivoli PKI for AIX and NT CD. You usethe WebSphere Application Server version 2.02 CD to install theIBM HTTP Server, and the Tivoli PKI CD to install the WebSphereApplication Server.

Note that even though WebSphere has an administrative interface formanaging servlets, it is not possible and not necessary to use it tomanage Tivoli PKI servlets.

Installing the JDKTo install the JDK, do the following:

1. Insert the WebSphere Application Server version 2.0.2 CD in theCD-ROM drive.

2. Change to the \NT\jdk directory, and run the JDK setup.exeprogram.

3. In the Welcome window, click Next.

4. In the Software License Agreement window, read the agreementand click Yes to accept it.

5. In the Select Components window, accept the default selections(Program Files, Library and Header Files, and Demo Applets).Click Next to use the default installation path, or select the driveand destination folder where you want to install the JDK andthen click Next. (The default path might be acceptable.)

6. In the Start Copying Files window, review the choices you madeand click Next to proceed.

7. In the Setup Complete window, click Finish.


8. When the readme file is displayed, review it.

Installing IBM HTTP ServerTo install the IBM HTTP Server, do the following:

1. Insert the WebSphere Application Server version 2.0.2 CD inthe CD-ROM drive.

2. Change to the \NT\httpd directory, and run the IHS setup.exeprogram.


4. In the Software License Agreement window, read the agreementand click Yes to accept it.

5. In the Choose Destination Location window, choose the defaultinstallation path or specify one.

6. Click Next.

7. On the Setup Type window, select Custom and click Next.

8. In the Select Components window, there are two panes: the leftpane lists the names of the component sets; the right pane liststhe components that make up a given component set. SelectBase on the left and deselect Apache Source on the right. Ifyou do not want to install the Documentation, deselect it aswell. Click Next to continue.

9. In the Select Program Folder menu, click Next to accept thedefault program folder, or type the folder name you want to useand then click Next.

10. In the Information for Service Setup window, type cfguser forthe User ID, type the password you created for this account,confirm the password, and then click Next.

11. In the Setup Complete window, you have a choice to rebootnow or later. Choose later (No) and then click Finish.

Note: After installing the IBM HTTP Server, you must set theserver service to manual so that the server does not start as aservice. Do the following:


5.In

stalling

Tivoli

PK

Io

nW

ind

ow

sN

T


2. Double-click Services and select the IBM HTTP Serverservice.

a. Click Stop (if it has already been started).

b. Click Startup, and change the Startup Type toManual.

c. Click OK.

d. Click Close, and exit the Control Panel.

Install WebSphere Application ServerTo install WebSphere Application Server, do the following:

1. Place Tivoli Public Key Infrastructure for AIX and NT CD inthe CD-ROM drive.

2. Change to the \WinNT\WebSphereAS-2031 directory, and runthe was2031.exe program.

3. In the WebSphere Application Server window, click Next. Youcan ignore the warning about stopping the HTTP Server.

4. In the Choose Target Directory window, click Next to acceptthe default installation path, or select the drive and destinationfolder where you want to install the software and then clickNext.

5. In the Choose Application Server Components window, you canoptionally deselect Documentation and Samples; all othercomponents are required. Click Next to proceed.

6. In the Select Java Development Kit or Runtime Environmentwindow, ensure that Java Development Kit 1.1.6 is selected,and then click Next.

7. In the Choose Application Server Plugins window, select IBMHTTP Server Version 1.3.3.x and then click Next.

8. In the Select Program Folder window, click Next to accept thedefault program folder, or type the folder name you want to useand then click Next.


9. In the Configure IBM HTTP Server window, ensure that itdisplays the correct path for the location of your installed IBMHTTP Server \conf directory, and then click OK.

10. In the Setup Complete window, click Finish.

11. When the readme file is displayed, review it.

12. In the Restarting Windows window, you have a choice to rebootnow or later. Select Yes to reboot now and then click OK.

Setting Up IP Aliases“Configuring IP Aliases for the Web Server” on page 39 discusseshow Tivoli PKI configures ports on the Web server to process secureand non-secure transactions. If you want to use a differentconfiguration, use IP aliases to define those ports.

Installing IBM DirectoryTivoli PKI uses the IBM Directory to store and maintain informationabout certificates issued through the registration facility. Use theprocedures in the following sections to install and set up theDirectory software. You can install this software on a remotemachine or on the same machine where you plan to install a TivoliPKI server component.

Installing Directory SoftwareTo install the Directory software, do the following:

1. Insert the IBM Directory Server CD in the CD-ROM drive andrun the setup.exe program.

2. In the Choose the Language of the installation window, selectthe installation language and click Next.


4. In the Select Components window, select Install theSecureWay Directory and Client SDK and click Next.

5. In the Choose Destination Location window, click Next to usethe default installation path, or specify a different location and


5.In

stalling

Tivoli

PK

Io

nW

ind

ow

sN

T

then click Next. If you receive a message about the installationpartition not being an NTFS partition, click OK to continue.

6. In the Folder Selection window, click Next to accept the defaultprogram folder, or specify a different folder name and thenclick Next.

7. In the Configure window, clear all the boxes and click Next.

8. In the Start Copying Files for SecureWay Directory and ClientSDK window, review the selections and click Next.

9. When prompted, click Yes to view the readme file. Afterreviewing it, close the window.

10. In the Setup Complete window, you have a choice to rebootnow or later. Select Yes to reboot now and then click Finish.

Note: In a multiple machine configuration, each Tivoli PKI servermust have the Directory client software installed before yourun the Tivoli PKI configuration applet. To install thissoftware, you must install the Directory Client option fromthe Directory Server CD-ROM on each machine except theone where you just installed the Directory server software.The critical files that must be installed on each machine areldap.dll and ldaploc1.dll.

Using the Directory with Tivoli PKIBefore you install or configure the Tivoli PKI server components,you need to understand how Tivoli PKI interacts with the Directory.To learn about Directory schema requirements and how to configurethe Directory for Tivoli PKI, refer to the Tivoli PKI ConfigurationGuide.

Confirming System SettingsBefore installing Tivoli PKI, do the following to ensure that theservices are in the states shown below.

1. Log in to Windows NT as the Tivoli PKI configuration user(typically cfguser).



3. Double-click Services and confirm the following states. The twohighlighted service settings are critical:DB2 - DB2 Started AutomaticDB2 - DB2DAS00 Started AutomaticDB2 Governor ManualDB2 JDBC Applet Server ManualDB2 Security Server ManualIBM HTTP Server ManualWebSphere Servlet Service Manual

4. Click Close and exit the Control Panel.

Installing Tivoli PKIUse the following guidelines to install the Tivoli PKI productcomponents.

¶ You must install all the server programs on the same platform(in this case Windows NT.)

¶ If you previously installed IBM KeyWorks version 1.1.1, youmust either install Tivoli PKI on a different machine, or removethe KeyWorks software and any associated applications beforeyou start the Tivoli PKI installation program.

¶ If you are setting up Tivoli PKI in a multiple machineconfiguration, you must repeat the installation procedures untilyou have installed all server components on the intendedmachines.

¶ When you install the RA Desktop applet, you first install aninstallation image. You must then distribute the image or make itavailable on your network so that users can run the installationprogram from a local machine running Windows. . Forinstructions on how to install, configure, and uninstall theseprograms, see the Tivoli PKI RA Desktop Guide.

¶ If you did not restart the system after installing the prerequisitesoftware, do so now. You must ensure that environment variablesare correct before you install Tivoli PKI.

¶ Use PING or another network connectivity tool to verify thathost names and IP addresses are valid and known to yournetwork’s DNS server.


5.In

stalling

Tivoli

PK

Io

nW

ind

ow

sN

T

Installing the Server SoftwareTo install the server software, do the following:

1. Log in to Windows NT by using the username and passwordthat you identified for this purpose (typically cfguser). Ifnecessary, see “Setting Up Windows NT” on page 80 forassistance.

2. Shut down all active programs.

3. Place Tivoli Public Key Infrastructure for AIX and NT CD in alocally-attached CD-ROM drive.

4. Select Start → Run, click Browse to change to the CD-ROMdrive, and run setup.exe. For example:drive:\WinNT\TrustAuthority\setup

If you are running the Setup program on a machine that hasmore than 256 MB of memory, you must add the /z switch todisable the memory check. For example:drive:\WinNT\TrustAuthority\setup /z

5. In the Choose Setup Language window, select a language forthis installation and click OK. The default value is English.

6. Review the information on the Welcome window, and clickNext.

7. If you installed an independent version of IBM DB2 instead ofthe version provided with Tivoli PKI, the Choose DestinationLocation window appears. Click Next if you want to install thesoftware in the default location (c:\Program Files\IBM\TivoliPKI). Otherwise, click Browse to select or type a differentdestination folder, and then click Next.

8. in the Select Components window, use the following table as aguideline. Check the components you want to install, clear thecomponents you do not want to install, and click Next.


Component Description

Tivoli PKI andRegistration Authorityserver

Installs the main Tivoli PKI programs and theRegistration Authority server software, includingall files needed for the registration facility.

Certificate Authorityand Audit server

Installs the Certificate Authority and Auditsubsystem programs.

Directory server Installs software that the Tivoli PKI componentsneed to interact with the Directory.

Registration AuthorityDesktop

Installs an installation image for the Tivoli PKI RADesktop applet.

Notes:

¶ At this point, the Setup program determines whether thesoftware required for the components you selected isinstalled and at the correct version level. If a prerequisiteprogram is not available, the Setup program exits. Installthe prerequisite software, and then start the installationprocedure again.

¶ To prepare for database configuration, the Setup programalso validates the username under which you logged in. Ifthe username is longer than eight characters, the Setupprogram exits. Log in with a username that has eightcharacters or fewer, and then start the installation procedureagain.

¶ If you select Tivoli PKI and Registration Authorityserver, and the Setup program detects that more than oneversion of IBM WebSphere Application Server or IBMHTTP Server is available, it prompts you to select theversion you want to use.

9. In the Select Program Folder window, click Next if you want tocreate a program icon in the default program folder (TivoliPKI). Otherwise, type or select the name of the folder you wantto use, and then click Next.


5.In

stalling

Tivoli

PK

Io

nW

ind

ow

sN

T

10. In the Setup Complete window, click Finish to start theinstallation process. The system copies files to the requestedlocations and runs several programs to complete the installationof Tivoli PKI.

11. After the software is installed, restart the system.

Changing Bootstrap ValuesUse this procedure only if you want to change any of the defaultconfiguration values (values that you cannot change when runningthe configuration applet or after the system has been configured.)You must make all bootstrap changes before you run the Tivoli PKIpost-installation configuration program.

Tivoli PKI runs a bootstrap program as part of the post-installationprocess. Input to the bootstrap program is an SQL script namedcreateconfig_start.sql that loads the configuration database withdefault values and creates database table definitions in theConfigDataTbl database table. This table contains the systemconfiguration data for all the Tivoli PKI components. Several valuesin this SQL script cannot be changed once the configuration processhas started.

Note: Under critical circumstances where a default value may causea problem in your operating environment, you can alsochange Tivoli PKI template files prior to configuration. Formore information, contact your IBM support representative.

To change a bootstrap value, edit the createconfig_start.sql file. Thedefault location for this file is c:\Program Files\IBM\TrustAuthority\bin.

Use the following table as a guideline when making any changes:

¶ For Windows NT, you cannot change the DATABASEPATHNAME values.

¶ The distinguished names (DNs) for the Tivoli PKI RA, Directoryadministrator, and Audit subsystem are transparent to the user. Ifyou want to change them, be sure to change only the common


name (CN) attribute. The Certificate Authority (CA) DN baseyou specify during configuration will be applied to the CN youselect.


WS_RO_KEYSIZE Web server keyringkey size. Options 0-3,as defined in theKeySize enumeration,are as follows:

¶ 0 = 512

¶ 1 = 768

¶ 2 = 1024

¶ 3 = 2048

0

APP_DN The DN of the TivoliPKI RA. You canmodify the CN only.

/C=US/O=YourOrganization/OU=Tivoli PKI/CN=Tivoli PKI RA

APP_CERT_LIFETIME The lifetime of anynon-CA certificate inthe system (such asuser, server, or RAcertificates), specifiedin months. The valueyou specify must alsobe specified in thejonahca.ini.tpl andjonahra.ini.tpl files.

36

APP_LDAP _DIRADMIN_DN

The DN of theDirectoryadministrator. You canmodify the CN only.

/C=US/O=YourOrganization/OU=Tivoli PKI/CN=DirAdmin


5.In

stalling

Tivoli

PK

Io

nW

ind

ow

sN

T


APP_COMM_PORT The communicationport that handlescommunicationsbetween theregistration facilityframework and theTivoli PKI RA.

29783

APP_SEC_MECH The application’ssecurity mechanism.The default valuedisables the RA’sdatabase encryption.Setting the value to 1enables databaseencryption.

0

CA_IBM_CA_CERT_LIFETIME

The lifetime of theTivoli PKI CAcertificate, specified inmonths.

360

CA_IBM_ADMIN_PORT The administrativeport of the Tivoli PKICA. The value youspecify must also bespecified on the PORTentry in the file,irgAutoCA.ini.tpl,which is located in thecfg directory.

1835

ADT_DN The DN of the Auditsubsystem. You canmodify the CN only.

/C=US/O=YourOrganization/OU=Tivoli PKI/CN=Tivoli PKI Audit

Running the Post-installation Configuration ProgramAfter you install the Tivoli PKI server software, you must run apost-installation configuration program, CfgPostInstall. You must runthis program before you run the Setup Wizard to configure TivoliPKI.


This program creates a Web server configuration file (httpd.conf)that allows the Web server to be started with parameters required byTivoli PKI. It also prepares the Web server to run the configurationapplet, creates the configuration database, and populates the databasewith default configuration data.

To run the post-installation configuration program:

1. Log in as the Tivoli PKI configuration user, cfguser.

2. Ensure that a temp directory exists on the server and that it isdefined by the environment variable %TEMP%.

3. Select Start → Programs → Tivoli Public Key Infrastructure →Post Installation Configuration.

4. Type exit to close the window.

CfgPostInstall prompts you to verify the cfguser account password,which was set when the account was created, and then prompts youto set and confirm the Control Program password. The password forcfguser controls access to the cfguser account and to the CfgAppletwizard page. The password for the Control Program restricts accessto the Control Program. It is recommended that the password for theControl Program be different than the password for cfguser. Thecfguser password you create must be a valid system password, not toexceed eight characters in length.

Post-installation ChecklistUse the following checklist to make sure that you are ready to beginconfiguring Tivoli PKI. For information about running the SetupWizard, see the Tivoli PKI Configuration Guide:

1. Use your preferred Windows NT tools to back up the currentsystem.

2. To aid in future problem resolution, create a backup copy of theWindows Registry to ensure that you have a list of all theinstalled software.

3. If you do not intend to use the default configuration values forthe Web server ports, you must configure the IP aliases beforeyou run the Setup Wizard. The configuration programs rely on


5.In

stalling

Tivoli

PK

Io

nW

ind

ow

sN

T

these values when creating the CA certificate for your system.See “Configuring IP Aliases for the Web Server” on page 39 fora discussion of how Tivoli PKI configures and uses ports on theWeb server for secure and non-secure transactions.

4. Decide on the distinguished names (DNs) you want to use for theTivoli PKI CA and its agents, the Directory administrator and theDirectory root.

Review the guidelines in Tivoli PKI Configuration Guide tomake sure that the DNs for these objects support your intendedcertification hierarchy.

5. Complete the Tivoli PKI Configuration Data Form located in theTivoli PKI Configuration Guide to become familiar withinformation you must have available before you configure thesystem. Use the form to record information about your system,such as your server host names and your preferred distinguishednames.

6. To aid in configuration, take the following steps to set up a large,scrollable MS DOS environment on the machine where you planto run the Setup Wizard. In a typical environment, the DOSwindow does not have a scroll bar and displays only 24 lines ofinformation:

a. Log in as the Tivoli PKI configuration user (typicallycfguser).

b. Select Start → Settings → Control Panel.

c. Double-click the MS DOS Console.

d. Select the Layout tab.

e. In the Screen Buffer Size section, set Height to at least 1000(you can specify any high number up to the maximum 9999)and click OK.


Running the Backup UtilityThe Tivoli PKI backup utility (ta-backup) is a tool for savingconfiguration data that is not stored in any of the DB2 databases.The ancillary file data such as file permissions are also saved. UseDB2 utilities for backing up DB2 databases.

The backup utility accepts one parameter that identifies the directorywhere backup data is to be written. This backup directory is the rootdirectory to be used for saving all data files. To avoid name conflictswithin the backup directory, the backup utility saves files with thesame directory structure as exists on the system being saved.

The following example illustrates the program syntax:ta-backup -d backup_directory

where -d backup_directory is the directory to be used for databackup. The default path is /usr/lpp/iau/backup.

Do the following to run the ta-backup utility offline:

1. Log in as cfguser.

2. Optionally create the directory where you want to back up TivoliPKI configuration data. For example:mkdir "c:\Program Files\IBM\Trust Authority\my_tabackup"

3. Change to the Tivoli PKI bin directory. The default path isc:\Program Files\IBM\Trust Authority\bin.

4. Enter the following command, and specify the absolute path towhere you want data to be backed up:ta-backup -d "c:\Program Files\IBM\Trust Authority\my_tabackup"


5.In

stalling

Tivoli

PK

Io

nW

ind

ow

sN

T


Configuring Tivoli PKI

After installing the Tivoli Public Key Infrastructure (PKI) serversoftware, you must specify configuration values to control how thecomponents are set up at your site. For example, you need toidentify the locations of the server programs, specify distinguishednames (DNs), and set up your registration domain.

During configuration, the system saves your values in an exportablefile. This feature is useful for setting up multiple instances of TivoliPKI that use the same platform and have similar configurations.When you install a new Tivoli PKI instance, you can import thesaved values to use as a baseline for configuring the new system.

The Tivoli PKI product includes the Setup Wizard, an applet forspecifying configuration options. Before you begin to configure yourTivoli PKI system, you need to understand the configuration processand decide how you want to set up the system in your environment.You need to have knowledge about your system available at the timeyou run the Setup Wizard. You also need to ensure that your systemis properly configured before you attempt to use it.

The Tivoli PKI Configuration Guide describes how to prepare forconfiguration, specify configuration options, and prepare the systemfor use in a production environment. For example, it includes:

¶ Work sheets to help you gather information before you start theSetup Wizard.

6


6.C

on

figu

ring

Tivoli

PK

I

¶ Guidelines for using the DN editor to specify a validdistinguished name.

¶ Recommendations for steps you should take before you releaseTivoli PKI to your user community. Note that certain steps, suchas changing the server passwords and backing up your newlyconfigured system, are critical.

¶ Procedures for uninstalling the software.

Designed for use in a Web environment, the Configuration Guideprovides:

¶ Task-oriented information, such as “How do I set up remotecomponents?” or “How do I verify the configuration?”

¶ Conceptual information, such as “Tell me about registrationdomains” or “Tell me about the Directory”.

¶ Reference information, such as detailed descriptions of thevalues you can specify when using the Setup Wizard.

You can access the Configuration Guide in any of the followingways:

¶ After starting the Setup Wizard, click any Help button, thenclick the book icon while viewing online help.

¶ From the Tivoli Public Key Infrastructure Web site:http://www.tivoli.com/support



Getting Started

After installing and configuring your Tivoli Public Key Infrastructure(PKI) system, you need to learn about administering it and using thegraphical user interfaces it provides. The following sections directyou to documentation that can help you get started with Tivoli PKI.You should review these documents to learn how to do the followingkinds of tasks:

¶ Fine-tune system operations, whether securing it for productionor making ongoing performance adjustments.

¶ Run the RA Desktop to administer issued certificates andrequests for certificates.

¶ Obtain certificates using the browser enrollment forms providedwith the registration facility.

¶ Customizing registration processes, such as modifying theHTML forms for enrollment or including support for differentcertificate types.

System AdministrationTivoli Public Key Infrastructure provides several tools to help youadminister the system. It includes:

¶ A utility for starting and stopping the server components in asecure, password-protected mode.

¶ A utility for setting secure passwords for the trusted componentprograms.

7


7.G

etting

Started

¶ A utility for authorizing administrative users to use the RADesktop.

¶ A utility that enables the Tivoli PKI Certificate Authority (CA)to cross-certify with another CA or to establish a CA hierarchy.

¶ A utility for checking the integrity of the audit database andarchived audit records.

¶ A utility for archiving and signing the audit database.

¶ A utility to cause a root CA key rollover from onenon-compromised key pair to the next CA key pair.

¶ A set of utilities that provide a secure method for anauthenticated user to request multiple digital certificates with onecall to Tivoli PKI.

The Tivoli PKI System Administration Guide documents theseutilities and provides administrative guidelines. For example, itincludes recommendations for administering the server componentsand their respective databases. It also documents the steps you musttake to finalize the system’s setup and secure it for use in aproduction environment.

Designed for use in a Web environment, the System AdministrationGuide provides:

¶ Task-oriented information, such as “How do I stop the system?”or “How do I archive the audit database?”

¶ Conceptual information, such as “Tell me aboutcross-certification,” “Tell me about the Tivoli PKI CA,” or “Tellme about auditable events.”

¶ Reference information, such as detailed descriptions ofconfiguration file parameters.

To access the System Administration Guide, go to the Tivoli PublicKey Infrastructure Web site:http://www.tivoli.com/support


||

|||



RA Administration

The RA server stores records about enrollment requests and issuedcertificates in an encrypted registration database. Evaluatingenrollment requests and administering the database records are tasksthat can be handled programmatically or by a human administrator.

Tivoli PKI provides an applet, the RA Desktop, that makes it easyfor authorized registrars to process requests for certificates and takeaction on issued certificates.

The RA Desktop supports the following typical administrative tasks:¶ Working with enrollment requests that are awaiting approval¶ Changing the validity period for certificates that are about to

expire¶ Determining whether a certificate can be renewed¶ Temporarily suspending certificates¶ Permanently revoking certificates

The Tivoli PKI Registration Authority Desktop Guide describes theRA Desktop applet.

Designed for use in a Web environment, the RA Desktop Guideprovides:

¶ Task-oriented information, such as such as “How do I install theRA Desktop,” “How do retrieve a set of certificates that areabout to expire?” or “How do I view a history of the actionstaken on a certificate?”

¶ Conceptual information, such as “Tell me about registrationdomains” or “Tell me about the certificate life cycle.”

¶ Reference information, such as detailed descriptions of thevalues a registrar can specify when using the RA Desktop.

You can access the RA Desktop Guide in the following ways:

¶ After starting the RA Desktop, click any Help button, then clickthe book icon while viewing online help.


7.G

etting

Started

¶ From the Tivoli Public Key Infrastructure Web site:http://www.tivoli.com/support

Registration and CertificationUsing the browser enrollment forms that are provided with theregistration facility, you can easily register for browser, server, anddevice certificates. When the request is approved, the certificate isdownloaded automatically. You can also use the browser forms topreregister for certificates that can be used with a PKIX application.When the preregistration request is approved, information isprovided that enables you to obtain the certificate at a convenienttime.

The Tivoli PKI User’s Guide describes the browser enrollment formsand includes:

¶ Task-oriented information, such as “How do I enroll for abrowser certificate?” or “How do I renew certificates that areabout to expire?”

¶ Conceptual information, such as “Tell me about preregistration”or “Tell me about server certificates”.

You can access the User’s Guide from the Tivoli Public KeyInfrastructure Web site:http://www.tivoli.com/support

CustomizationTivoli PKI provides flexibility for how you want to implementregistration processes for your organization. For example, it allowsyou to control the following kinds of activities:

¶ The appearance of and language used on the browser enrollmentforms

¶ Certification policies

¶ The content of notification letters sent to users who register forcertificates


|

||||||||

||

|||

||

||

|

|

||




¶ Policy exits to handle different types of automated processing

The Tivoli PKI Customization Guide describes the various ways thatyou can customize the registration facility and includes:

¶ Task-oriented information, such as “How do I add an enrollmentfield?” or “How do I change a certificate profile?”

¶ Conceptual information, such as “Tell me about preregistration,”“Tell me about business policy”, or “Tell me about accesscontrols”.

¶ Reference information, such as detailed descriptions of certificatetypes and the registration facility configuration file.

To access the Customization Guide, go to the Tivoli Public KeyInfrastructure Web site:http://www.tivoli.com/support


7.G

etting

Started




Glossary

This glossary defines the terms and abbreviations in this book thatare new or unfamiliar and terms that are of interest. It includes termsand definitions from:

¶ The IBM Dictionary of Computing, New York: McGraw-Hill,1994.

¶ The American National Standard Dictionary for InformationSystems, ANSI X3.172–1990, American National StandardsInstitute (ANSI), 1990.

¶ The Answers to Frequently Asked Questions, Version 3.0,California: RSA Data Security, Inc., 1998.

Numbers

4758 PCI Cryptographic CoprocessorA programmable, tamper-responding cryptographic PCI-bus card offering highperformance DES and RSA cryptographic processing. The cryptographic processesoccur within a secure enclosure on the card. The card meets the stringentrequirements of the FIPS PUB 140-1 level 4 standard. Software can run within thesecure enclosure. For example, credit card transaction processing can use the SETstandard.

A

Abstract Syntax Notation One (ASN.1)An ITU notation that is used to define the syntax of information data. It defines anumber of simple data types and specifies a notation for identifying these types andfor specifying values of these types. These notations can be applied whenever it isnecessary to define the abstract syntax of information without curbing how theinformation is encoded for transmission.

access control list (ACL)A mechanism for limiting the use of a specific resource to authorized users.

ACLAccess control list.

action historyAccumulated events in the life cycle of a credential.


Glo

ssary

American National Standard Code for Information Interchange (ASCII)The standard code that is used for information interchange among data processingsystems, data communication systems, and associated equipment. The ASCII setuses a coded character set that consists of 7-bit coded characters (8 bits including abit for parity checking). The character set consists of control characters and graphiccharacters.

American National Standards Institute (ANSI)An organization that establishes the procedures by which accredited organizationscreate and maintain voluntary industry standards in the United States. It consists ofproducers, consumers, and general interest groups.

ANSIAmerican National Standards Institute.

appletA computer program that is written in Java and runs inside a Java-compatible Webbrowser. Also known as a Java applet.

ASCIIAmerican National Standard Code for Information Interchange.

ASN.1Abstract Syntax Notation One.

asymmetric cryptographyCryptography that uses different, asymmetric keys for encryption and decryption.Each user receives a pair of keys: a public key accessible to all, and a private keyknown only to the user. A secure transaction can occur when the public key and thecorresponding private key match, enabling the decryption of the transaction. This isalso known as key pair cryptography. Contrast with symmetric cryptography.

asynchronous communicationA mode of communication that does not require the sender and recipient to bepresent simultaneously.

audit clientAny client in the system that sends audit events to the Tivoli PKI Audit server.Before an audit client sends an event to the Audit server, it establishes a connectionwith the Audit server. After the connection is established, the client uses the auditsubsystem client library to deliver events to the Audit server.

audit logIn Tivoli PKI, a table in a database that stores one record per audit event.

Audit serverA Tivoli PKI server that receives audit events from audit clients and writes them toan audit log.


audit subsystemIn Tivoli PKI, a subsystem that provides the support for logging security-relevantactions. It conforms to recommendations in standard X9.57, of the standards setforth in Public Key Cryptography for the Financial Services Industry.

audit trailData, in the form of a logical path, that links a sequence of events. An audit trailenables tracing of transactions or the history of a given activity.

authenticationThe process of reliably determining the identity of a communicating party.

authorizationPermission to access a resource.

B

base64 encodingA common means of conveying binary data with MIME.

Basic Encoding Rules (BER)The rules specified in ISO 8825 for encoding data units described in abstract syntaxnotation 1 (ASN.1). The rules specify the encoding technique, not the abstractsyntax.

BERBasic Encoding Rules.

browserSee Web browser.

browser certificateA digital certificate is also known as a client-side certificate. It is issued by a CAthrough an SSL-enabled Web server. Keys in an encrypted file enable the holder ofthe certificate to encrypt, decrypt, and sign data. Typically, the Web browser storesthese keys. Some applications permit storage of the keys on smart cards or othermedia. See also digital certificate.

business process objectsA set of code used to accomplish a specific registration operation, such as checkingthe status of an enrollment request or verifying that a public key was sent.

business process templateA set of business process objects that are run in a specified order.


Glo

ssary

bytecodeMachine-independent code that is generated by the Java compiler and run by theJava interpreter.

C

CACertificate authority.

CA certificateA certificate your Web browser accepts, at your request, from a CA it does notrecognize. The browser can then use this certificate to authenticate communicationswith servers that hold certificates issued by that CA.

CA hierarchyIn Tivoli PKI, a trust structure whereby one CA is located at the top of the structureand up to four layers of subordinate CAs are located below. When users or serversare registered with a CA, they receive a signed certificate from that CA, and theyinherit the certification hierarchy of the layers above.

CA serverThe server for the Tivoli PKI Certificate Authority (CA) component.

CAST-64A block cipher algorithm that uses a 64-bit block size and a 6-bit key. It wasdesigned by Carlisle Adams and Stafford Tavares.

CCAIBM Common Cryptographic Architecture.

CDSACommon Data Security Architecture.

certificate authority (CA)The software responsible for following an organization’s security policies andassigning secure electronic identities in the form of certificates. The CA processesrequests from RAs to issue, renew, and revoke certificates. The CA interacts withthe RA to publish certificates and CRLs in the Directory. See also digital certificate.

certificate extensionAn optional feature of the X.509v3 certificate format that provides for the inclusionof additional fields in the certificate. There are standard extensions and user-definedextensions. Standard extensions exist for various purposes, including key and policyinformation, subject and issuer attributes, and certification path constraints.


certificate policyA named set of rules that indicates the applicability of a certificate to a particularclass of applications that have common security requirements. For example, acertificate policy might indicate whether a particular certification type allows a userto conduct transactions for goods within a given price range.

certificate profileA set of characteristics that define the type of certificate wanted (such as SSLcertificates or IPSec certificates). The profile aids in managing certificatespecification and registration. The issuer can change the names of the profiles andspecify characteristics of the desired certificate, such as the validity period, keyusage, DN constraints, and so forth.

certificate revocation list (CRL)A digitally-signed, time-stamped list of certificates that the certificate authority hasrevoked. The certificates in this list should be considered unacceptable. See alsodigital certificate.

certificationThe process during which a trusted third party issues an electronic credential thatvouches for an individual, business, or organizational identity.

CGICommon Gateway Interface.

chain validationThe validation of all CA signatures in the trust hierarchy through which a givencertificate was issued. For example, if a CA was issued its signing certificate byanother CA, both signatures are validated during validation of the certificate that theuser presents.

classIn object-oriented design or programming, a group of objects that share a commondefinition and therefore share common properties, operations, and behavior.

cleartextData that is not encrypted. Synonym for plaintext.

client(1) A functional unit that receives shared services from a server. (2) A computer orprogram that requests a service of another computer or program.

client/serverA model in distributed processing in which a program at one site sends a request toa program at another site and waits for a response. The requesting program is calleda client; the answering one is called a server.


Glo

ssary

code signingA technique for signing executable programs with digital signatures. Code signing isdesigned to improve the reliability of software that is distributed over the Internet.

Common Cryptographic Architecture (CCA)IBM software that enables a consistent approach to cryptography on major IBMcomputing platforms. It supports application software that is written in a variety ofprogramming languages. Application software can call on CCA services to performa broad range of cryptographic functions, including DES and RSA encryption.

Common Data Security Architecture (CDSA )An initiative to define a comprehensive approach to security service and securitymanagement for computer-based security applications. It was designed by Intel, tomake computer platforms more secure for applications.

Common Gateway Interface (CGI)Standard method for transmitting information between Web pages and Web servers.

confidentialityThe property of not being divulged to unauthorized parties.

credentialConfidential information used to prove one’s identity in an authentication exchange.In environments for network computing, the most common type of credential is acertificate that a CA has created and signed.

CRLCertificate revocation list.

CRL publication intervalSet in the CA configuration file, the interval of time between periodic publicationsof the CRL to the Directory.

cross-certificationA trust model whereby one CA issues to another CA a certificate that contains thepublic key associated with its private signature key. A cross-certified certificateallows client systems or end entities in one administrative domain to communicatesecurely with client systems or end entities in another domain.

cryptographicPertaining to the transformation of data to conceal its meaning.

cryptographyIn computer security, the principles, means, and methods for encrypting plaintextand decrypting encrypted text.


D

daemonA program that carries out background tasks. It is implicitly called when a conditionoccurs that requires its help. A user need not be aware of a daemon, because thesystem usually spawns it automatically. A daemon might live forever or the systemmight regenerate it at intervals.The term (pronounced demon) comes from mythology. Later, it was rationalized asthe acronym DAEMON: Disk And Execution MONitor.

Data Encryption Standard (DES)An encryption block cipher, defined and endorsed by the U.S. government in 1977as an official standard. IBM developed it originally. DES has been extensivelystudied since its publication and is a well-known and widely used cryptographicsystem.DES is a symmetric cryptographic system. When it is used for communication, boththe sender and receiver must know the same secret key. This key is used to encryptand decrypt the message. DES can also be used for single-user encryption, such asto store files on a hard disk in encrypted form. DES has a 64-bit block size anduses a 56-bit key during encryption. It is was originally designed for implementationin hardware. NIST has recertified DES as an official U.S. government encryptionstandard every five years.

Data Storage Library (DL)A module that provides access to persistent data stores of certificates, CRLs, keys,policies, and other security-related objects.

decryptTo undo the encryption process.

DEKDocument encrypting key.

DERDistinguished Encoding Rules.

DESData Encryption Standard.

Diffie-HellmanA method of establishing a shared key over an insecure medium, named after theinventors (Diffie and Hellman).

digital certificateAn electronic credential that is issued by a trusted third party to a person or entity.Each certificate is signed with the private key of the CA. It vouches for anindividual, business, or organizational identity.


Glo

ssary

Depending on the role of the CA, the certificate can attest to the authority of thebearer to conduct e-business over the Internet. In a sense, a digital certificateperforms a similar role to a driver’s license or a medical diploma. It certifies thatthe bearer of the corresponding private key has authority to conduct certaine-business activities.A certificate contains information about the entity it certifies, whether person,machine, or computer program. It includes the certified public key of that entity.

digital certificationSee certification.

digital signatureA coded message added to a document or data that guarantees the identity of thesender.A digital signature can provide a greater level of security than a physical signature.The reason for this is that a digital signature is not an encrypted name or series ofsimple identification codes. Instead, it is an encrypted summary of the message thatis being signed. Thus, affixing a digital signature to a message provides solididentification of the sender. (Only the sender’s key can create the signature.) It alsofixes the content of the message that is being signed (the encrypted messagesummary must match the message content or the signature is not valid). Thus, adigital signature cannot be copied from one message and applied to another becausethe summary, or hash, would not match. Any alterations to the signed messagewould also invalidate the signature.

Digital Signature Algorithm (DSA)A public key algorithm that is used as part of the Digital Signature Standard. Itcannot be used for encryption, only for digital signatures.

DirectoryA hierarchical structure intended as a global repository for information related tocommunications (such as e-mail or cryptographic exchanges). The Directory storesspecific items that are essential to the PKI structure, including public keys,certificates, and certificate revocation lists.Data in the Directory is organized hierarchically in the form of a tree, with the rootat the top of the tree. Often, higher level organizations represent individualcountries, governments, or companies. Users and devices are typically representedas leaves of each tree. These users, organizations, localities, countries, and deviceseach have their own entry. Each entry consists of typed attributes. These provideinformation about the object that the entry represents.Each entry in the Directory is bound with an associated distinguished name (DN).This is unique when the entry includes an attribute that is known to be unique to thereal-world object. Consider the following example DN. In it, the country (C) is US,the organization (O) is IBM, the organizational unit (OU) is Trust, and the commonname (CN) is CA1.

C=US/O=IBM/OU=Trust/CN=CA1


Directory serverIn Tivoli PKI, the IBM Directory. This Directory supports LDAP standards and usesDB2 as its base.

Distinguished Encoding Rules (DER)Provides constraints on the BER. DER selects just one type of encoding from thosethat the encoding rules allow, eliminating all of the sender’s options.

distinguished name (DN)The unique name of a data entry that is stored in the Directory. The DN uniquelyidentifies the position of an entry in the hierarchical structure of the Directory.

DLData Storage Library.

DNDistinguished name.

document encrypting key (DEK)Typically, a symmetric encryption/decryption key, such as DES.

domainSee security domain and registration domain.

DSADigital Signature Algorithm.

E

e-businessBusiness transactions over networks and through computers. It includes buying andselling goods and services. It also includes transferring funds through digitalcommunications.

e-commerceBusiness-to-business transactions. It includes buying and selling goods and services(with customers, suppliers, vendors, and others) on the Internet. It is a primaryelement of e-business.

end-entityThe subject of a certificate that is not a CA.

encryptTo scramble information so that only someone who has the appropriate decryptioncode can obtain the original information through decryption.


Glo

ssary

encryption/decryptionUsing the public key of the intended recipient to encipher data for that person, whothen uses the private key of the pair to decipher the data.

enrollmentIn Tivoli PKI, the process of obtaining credentials for use over the Internet.Enrollment encompasses the requesting, renewing, and revoking of certificates.

enrollment attributeAn enrollment variable that is contained in an enrollment form. Its value reflects theinformation that is captured during the enrollment. The value of the enrollmentattribute remains the same throughout the lifetime of the credential.

enrollment variableSee enrollment attribute.

extranetA derivative of the Internet that uses similar technology. Companies are beginningto apply Web publishing, electronic commerce, message transmission, andgroupware to multiple communities of customers, partners, and internal staff.

F

File Transfer Protocol (FTP)An Internet client/server protocol for use in transferring files between computers.

firewallA gateway between networks that restricts the flow of information betweennetworks. Typically, the purpose of a firewall is to protect internal networks fromunauthorized use from the outside.

FTPFile Transfer Protocol.

G

gatewayA functional unit that allows incompatible networks or applications to communicatewith each other.

H

hierarchyThe organization of Certificate Authorities (CA) in a trust chain, starting with theself-signed CA or root of roots at the top, and ending with the CA that issuescertificates to end users.


HTMLHypertext Markup Language.

HTTPHypertext Transaction Protocol.

HTTP serverA server that handles Web-based communications with browsers and other programsin a network.

hypertextText that contains words, phrases, or graphics that the reader can click with themouse to retrieve and display another document. These words, phrases, or graphicsare known as hyperlinks. Retrieving them is known as linking to them.

Hypertext Markup Language (HTML)A markup language for coding Web pages. It is based on SGML.

Hypertext Transaction Protocol (HTTP)An Internet client/server protocol for transferring hypertext files across the Web.

I

ICLIssued certificate list.

IETF (Internet Engineering Task Force)A group that focuses on engineering and developing protocols for the Internet. Itrepresents an international community of network designers, operators, vendors, andresearchers. The IETF is concerned with the development of the Internet architectureand the smooth use of the Internet.

IniEditorIn Tivoli PKI, a tool used to edit configuration files.

instanceIn DB2, an instance is a logical database management environment for storing dataand running applications. It allows definition of a common set of configurationparameters for multiple databases.

integrityA system protects the integrity of data if it prevents unauthorized modification (asopposed to protecting the confidentiality of data, which prevents unauthorizeddisclosure).


Glo

ssary

integrity checkingThe checking of audit records that result from transactions with externalcomponents.

internal structureSee schema.

International Standards Organization (ISO)An international organization tasked with developing and publishing standards.

International Telecommunication Union (ITU)An international organization within which governments and the private sectorcoordinate global telecommunication networks and services. It is the leadingpublisher of telecommunication technology, regulatory, and standards information.

InternetA worldwide collection of networks that provide electronic connection betweencomputers. This enables them to communicate with each other via software devicessuch as electronic mail or Web browsers. For example, some universities are on anetwork that in turn links with other similar networks to form the Internet.

intranetA network within an enterprise that usually resides behind firewalls. It is aderivative of the Internet and uses similar technology. Technically, intranet is a mereextension of the Internet. HTML and HTTP are some of the commonalities.

IPSecAn Internet Protocol Security standard, developed by the IETF. IPSec is a networklayer protocol, designed to provide cryptographic security services that flexiblysupport combinations of authentication, integrity, access control, and confidentiality.Because of its strong authentication features, it has been adopted by many VPNproduct vendors as the protocol for establishing secure point-to-point connectionsover the Internet.

ISOInternational Standards Organization.

issued certificate list (ICL)A complete list of the certificates that have been issued and their current status.Certificates are indexed by serial number and state. This list is maintained by theCA and stored in the CA database.

ITUInternational Telecommunication Union.


J

JavaA set of network-aware, non-platform-specific computer technologies developed bySun Microsystems, Incorporated. The Java environment consists of the Java OS, thevirtual machines for various platforms, the object-oriented Java programminglanguage, and several class libraries.

Java appletSee applet. Contrast with Java application.

Java applicationA stand-alone program that is written in the Java language. It runs outside thecontext of a Web browser.

Java classA unit of Java program code.

Java languageA programming language, developed by Sun Microsystems, designed specifically foruse in applet and agent applications.

Java Virtual Machine (JVM)The part of the Java run-time environment responsible for interpreting bytecodes.

K

keyA quantity used in cryptography to encipher or decipher information.

Key Backup and RecoveryThis feature of Tivoli PKI enables you to back up and recover the end entitycertificates and their corresponding public and private keys certified by Tivoli PKI.The certificate and keys are stored in a PKCS #12 file. This file is protected by apassword. The password is set at the time the certificate and keys are backed up.

key pairCorresponding keys that are used in asymmetric cryptography. One key is used toencrypt and the other to decrypt.

KeyStoreA DL for storing Tivoli PKI component credentials, such as keys and certificates, inan encrypted format.


Glo

ssary

L

LDAPLightweight Directory Access Protocol.

Lightweight Directory Access Protocol (LDAP )A protocol used to access the Directory.

M

MACMessage authentication code.

MD2A 128-bit message-digest hash function, designed by Ron Rivest. It is used withMD5 in the PEM protocols.

MD4A 128-bit message-digest hash function, designed by Ron Rivest. It is several timesfaster than MD2.

MD5A one-way message-digest hash function, designed by Ron Rivest. It is an improvedversion of MD4. MD5 processes input text in 512-bit blocks, divided into 16 32-bitsub-blocks. The output of the algorithm is a set of four 32-bit blocks, whichconcatenate to form a single 128-bit hash value. It is also used along with MD2 inthe PEM protocols.

message authentication code (MAC)A secret key that is shared between the sender and the recipient. The senderauthenticates, and the recipient verifies. In Tivoli PKI, MAC keys are stored in theKeyStores for the CA and Auditing components.

message digestAn irreversible function that takes an arbitrary-sized message and produces a fixedlength quantity. MD5 is an example of a message digest algorithm.

MIME (Multipurpose Internet Mail Extensions)A freely available set of specifications that allows the interchange of text inlanguages with different character sets. it also allows multimedia e-mail amongmany different computer systems that use Internet mail standards. For example, thee-mail messages may contain character sets other than US-ASCII, enriched text,images, and sounds.

modulusIn the RSA public key cryptographic system, the product (n) of two large primes: pand q. The best size for an RSA modulus depends on one’s security needs. The


larger the modulus, the greater the security. The current RSALaboratories–recommended key sizes depend on the planned use for the key: 768bits for personal use, 1024 bits for corporate use, and 2048 bits for extremelyvaluable keys like the key pair of a CA. A 768-bit key is expected to be secure untilat least the year 2004.

N

National Language Support (NLS)Support within a product for differences in locales, including language, currency,date and time format, and numeric presentation.

National Security Agency (NSA)The official security body of the U.S. government.

NISTNational Institute of Standards and Technology, formerly known as NBS (NationalBureau of Standards). It promotes open standards and interoperability incomputer-based industries.

NLSNational language support.

nonceA string that is sent down from a server or application, requesting userauthorization. The user that is asked for authentication signs the nonce with aprivate key. The user’s public key and the signed nonce are sent back to the serveror application that requested authentication. The server then attempts to decipher thesigned nonce with the user’s public key. If the deciphered nonce is the same as theoriginal nonce that was sent, the user is authenticated.

non-repudiationThe use of a digital private key to prevent the signer of a document from falselydenying having signed it.

NSANational Security Agency.

O

objectIn object-oriented design or programming, an abstraction encapsulating data and theoperations associated with that data. See also class.


Glo

ssary

object identifier (OID)An administratively assigned data value of the type defined in abstract syntaxnotation 1 (ASN.1).

object typeThe kind of object that can be stored in the Directory. For example, an organization,meeting room, device, person, program, or process.

ODBCOpen Database Connectivity.

Open Database Connectivity (ODBC)A standard for accessing different database systems.

Open Systems Interconnect (OSI)The name of the computer networking standards that the ISO approved.

OSIOpen Systems Interconnect.

P

PC cardSimilar to a smart card, and sometimes called a PCMCIA card. This card issomewhat larger than a smart card and usually has a greater capacity.

PEMPrivacy-enhanced mail.

PKCSPublic Key Cryptography Standards.

PKCS #1See Public Key Cryptography Standards.






PKIPublic key infrastructure.

PKIXAn X.509v3-based PKI.

PKIX certificate management protocol (CMP)A protocol that enables connections with PKIX-compliant applications. PKIX CMPuses TCP/IP as its primary transport mechanism, but an abstraction layer oversockets exists. This enables support for additional polling transports.

PKIX CMPPKIX certificate management protocol.

PKIX listenerThe public HTTP server that a particular registration domain uses to listen forrequests from the Tivoli PKI Client application.

plaintextUnencrypted data. Synonym for cleartext.

policy exitIn a registration facility, an organization-defined program that is called by theregistration application. The rules specified in a policy exit apply the organization’sbusiness and security preferences to the enrollment process.

preregistrationIn Tivoli PKI, a process that allows one user, typically an administrator, to enrollother users. If the request is approved, the RA provides information that allows theuser to obtain the certificate at a later time using the Tivoli PKI Client application.

privacyProtection from the unauthorized disclosure of data.

privacy-enhanced mail (PEM)The Internet privacy-enhanced mail standard, that the Internet Architect Board (IAB)adopted to provide secure electronic mail over the Internet. The PEM protocolsprovide for encryption, authentication, message integrity, and key management.

private keyThe key in a public/private key pair that is available only to its owner. It enablesthe owner to receive a private transaction or make a digital signature. Data signedwith a private key can be verified only with the corresponding public key. Contrastwith public key. See also public/private key pair.

protocolAn agreed-on convention for inter-computer communication.


Glo

ssary

proxy serverAn intermediary between the computer that is requesting access (computer A) andthe computer that is being accessed (computer B). Thus, if an end user makes arequest for a resource from computer A, this request is directed to a proxy server.The proxy server makes the request, gets the response from computer B, and thenforwards the response to the end user. Proxy servers are useful for accessing WorldWide Web resources from inside a firewall.

public keyThe key in a public/private key pair that is made available to others. It enables themto direct a transaction to the owner of the key or verify a digital signature. Dataencrypted with the public key can be decrypted only with the corresponding privatekey. Contrast with private key. See also public/private key pair.

Public Key Cryptography Standards (PKCS)Informal inter-vendor standards developed in 1991 by RSA Laboratories withrepresentatives from various computer vendors. These standards cover RSAencryption, the Diffie-Hellman agreement, password-based encryption,extended-certificate syntax, cryptographic message syntax, private-key informationsyntax, and certification syntax.

¶ PKCS #1 describes a method for encrypting data by using the RSA public keycryptosystem. Its intended use is in the construction of digital signatures anddigital envelopes.

¶ PKCS #7 specifies a general format for cryptographic messages.

¶ PKCS #10 specifies a standard syntax for certification requests.

¶ PKCS #11 defines a technology-independent programming interface forcryptographic devices such as smart cards.

¶ PKCS #12 specifies a portable format for storing or transporting a user’s privatekeys, certificates, miscellaneous secrets, and so forth.

public key infrastructure (PKI)A standard for security software that is based on public key cryptography. The PKIis a system of digital certificates, certificate authorities, registration authorities,certificate management services, and distributed directory services. It is used toverify the identity and authority of each party involved in any transaction over theInternet. These transactions might involve operations where identity verification isrequired. For example, they might confirm the origin of proposal bids, authors ofe-mail messages, or financial transactions.The PKI makes the public encryption keys and certificates of users available forauthentication by a valid individual or organization. It provides on-line directoriesthat contain the public encryption keys and certificates that are used in verifyingdigital certificates, credentials, and digital signatures.The PKI provides a means for swift and efficient responses to verification queriesand requests for public encryption keys. It also identifies potential security threats to


the system and maintains resources to deal with security breaches. Finally, the PKIprovides a digital timestamping service for important business transactions.

public/private key pairA public/private key pair is part of the concept of key pair cryptography (introducedin 1976 by Diffie and Hellman to solve the key management problem). In theirconcept, each person obtains a pair of keys, one called the public key and the othercalled the private key. Each person’s public key is made public while the privatekey is kept secret. The sender and receiver do not need to share secret information:all communications involve only public keys, and no private key is ever transmittedor shared. It is no longer necessary to trust some communications channel to besecure against eavesdropping or betrayal. The only requirement is that public keysmust be associated with their users in a trusted (authenticated) manner (for instance,in a trusted directory). Anyone can send a confidential message by using publicinformation. However, the message can be decrypted only with a private key, whichis in the sole possession of the intended recipient. Furthermore, key paircryptography can be used not only for privacy (encryption), but also forauthentication (digital signatures).

R

RARegistration authority.

RA DesktopA Java applet that provides RAs with a graphical interface for processing requestsfor credentials and administering them throughout their lifetime.

RA serverThe server for the Tivoli PKI Registration Authority component.

RC2A variable key-size block cipher, designed by Ron Rivest for RSA Data Security.RC stands for Ron’s Code or Rivest’s Cipher. It is faster than DES and is designedas a drop-in replacement for DES. It can be made more secure or less secure againstexhaustive key search than DES by using appropriate key sizes. It has a block sizeof 64 bits and is about two to three times faster than DES in software. RC2 can beused in the same modes as DES.An agreement between the Software Publishers Association (SPA) and the UnitedStates government gives RC2 special status. This makes the export approval processsimpler and quicker than the usual cryptographic export process. However, toqualify for quick export approval a product must limit the RC2 key size to 40 bitswith some exceptions. An additional string can be used to thwart attackers who tryto precompute a large look-up table of possible encryptions.


Glo

ssary

registrarA user who has been authorized to access the RA Desktop, to administer certificatesand requests for certificates.

registration authority (RA)The software that administers digital certificates to ensure that an organization’sbusiness policies are applied from the initial receipt of an enrollment requestthrough certificate revocation.

registration databaseContains information about certificate requests and issued certificates. The databasestores enrollment data and all changes to the certificate data throughout its lifecycle. The database can be updated by RA processes and policy exits, or byregistrars.

registration domainA set of resources, policies, and configuration options related to specific certificateregistration processes. The domain name is a subset of the URL that is used to runthe registration facility.

registration facilityA Tivoli PKI application framework that provides specialized means of enrollingentities (such as browsers, routers, e-mail, and secure client applications) andmanaging certificates throughout their life cycle.

registration processIn Tivoli PKI, the steps for validating a user, so that the user and the user’s publickey can become certified and participate in transactions. This process can be localor Web-based, and can be automated or administered by human interaction.

repudiateTo reject as untrue; for example, to deny that you sent a specific message orsubmitted a specific request.

request IDA 24- to 32-character ASCII value that uniquely identifies a certificate request to theRA. This value can be used on the certificate request transaction to retrieve thestatus of the request or the certificate that is associated with it.

RSAA public key cryptographic algorithm that is named for its inventors (Rivest,Shamir, and Adelman). It is used for encryption and digital signatures.


S

schemaAs relates to the Directory, the internal structure that defines the relationshipsbetween different object types.

Secure Electronic Transaction (SET)An industry standard that facilitates secure credit card or debit card payment overuntrusted networks. The standard incorporates authentication of cardholders,merchants, and card-issuing banks because it calls for the issuance of certificates.

Secure Sockets Layer (SSL )An IETF standard communications protocol with built-in security services that areas transparent as possible to the end user. It provides a digitally securecommunications channel.An SSL-capable server usually accepts SSL connection requests on a different portthan requests for standard HTTP requests. SSL creates a session during which theexchange signals to set up communications between two modems need to occuronly once. After that, communication is encrypted. Message integrity checkingcontinues until the SSL session expires.

security domainA group (a company, work group or team, educational or governmental) whosecertificates have been certified by the same CA. Users with certificates that aresigned by a CA can trust the identity of another user that has a certificate signed bythe same CA.

server(1) In a network, a data station that provides functions to other stations; forexample, a file server. (2) In TCP/IP, a system in a network that handles therequests of a system at another site, called a client/server.

server certificateA digital certificate, issued by a CA to enable a Web server to conduct SSL-basedtransactions. When a browser connects to the server by using the SSL protocol, theserver sends the browser its public key. This enables authentication of the identity ofthe server. It also enables encrypted information to be sent to the server. See alsoCA certificate, digital certificate, and browser certificate.

servletA server-side program that gives Java-enabled servers additional functionality.

SETSecure Electronic Transaction.

SGMLStandard Generalized Markup Language.


Glo

ssary

SHA-1 (Secure Hash Algorithm)An algorithm that was designed by NIST and NSA for use with the DigitalSignature Standard. The standard is the Secure Hash Standard; SHA is the algorithmthat the standard uses. SHA produces a 160-bit hash.

signTo use your private key to generate a signature. The signature is a means of provingthat you are responsible for and approve of the message you are signing.

signing/verifyingTo sign is to use a private digital key to generate a signature. To verify is to use thecorresponding public key to verify the signature.

Simple Mail Transfer Protocol (SMTP)A protocol that transfers electronic mail over the Internet.

site certificateSimilar to a CA certificate, but valid only for a specific Web site. See also CAcertificate.

smart cardA piece of hardware, typically the size of a credit card, for storing a user’s digitalkeys. A smart card can be password-protected.

S/MIMEA standard that supports the signing and encryption of e-mail transmitted across theInternet. See MIME.

SMTPSimple Mail Transfer Protocol.

SSLSecure Sockets Layer.

Standard Generalized Markup Language (SGML)A standard for describing markup languages. HTML is based on SGML.

symmetric cryptographyCryptography that uses the same key for both encryption and decryption. Its securityrests in the key — revealing the key means that anyone could encipher and deciphermessages. The communication remains secret only as long as the key remainssecret. Contrast with asymmetric cryptography.

symmetric keyA key that can be used for both encryption and decryption. See also symmetriccryptography.


T

targetA designated or selected data source.

TCP/IPTransmission Control Protocol/Internet Protocol.

top CAThe CA at the top of a PKI CA hierarchy.

TPTrust Policy.

transaction IDAn identifier provided by the RA in response to a preregistration enrollment request.It enables a user running the Tivoli PKI Client application to obtain thepre-approved certificate.

Transmission Control Protocol/Internet Protocol (TCP/IP )A set of communication protocols that support peer-to-peer connectivity functionsfor local and wide area networks.

triple DESA symmetric algorithm that encrypts the plaintext three times. Although many waysexist to do this, the most secure form of multiple encryption is triple-DES withthree distinct keys.

Tivoli PKIAn integrated IBM security solution that supports the issuance, renewal, andrevocation of digital certificates. These certificates can be used in a wide range ofInternet applications, providing a means to authenticate users and ensure trustedcommunications.

trust chainA set of certificates that consists of the trusted hierarchy from the user certificate tothe root or self-signed certificate.

trust domainA set of entities whose certificates have been certified by the same CA.

trusted computer base (TCB)The software and hardware elements that collectively enforce an organization’scomputer security policy. Any element or part of an element that can effect securitypolicy enforcement is security-relevant and part of the TCB. The TCB is an objectthat is bounded by the security perimeter. The mechanisms that carry out the


Glo

ssary

security policy must be non-circumventable, and must prevent programs fromgaining access to system privileges to which they are not authorized.

trust modelA structuring convention that governs how certificate authorities certify othercertificate authorities.

tunnelIn VPN technology, an on-demand virtual point-to-point connection made throughthe Internet. While connected, remote users can use the tunnel to exchange secure,encrypted, and encapsulated information with servers on the corporate privatenetwork.

typeSee object type.

U

UnicodeA 16-bit character set that is defined by ISO 10646. The Unicode characterencoding standard is an international character code for information processing. TheUnicode standard encompasses the principal scripts of the world and provides thefoundation for the internationalization and localization of software. All source codein the Java programming environment is written in Unicode.

Uniform Resource Locator (URL)A scheme for addressing resources on the Internet. The URL specifies the protocol,host name or IP address. It also includes the port number, path, and resource detailsneeded to access a resource from a particular machine.

URLUniform Resource Locator.

user authenticationThe process of validating that the originator of a message is the identifiable andlegitimate owner of the message. It also validates that you are communicating withthe end user or system you expected to.

UTF-8A transformation format. It enables information processing systems that handle only8-bit character sets to convert 16-bit Unicode to an 8-bit equivalent and back againwithout loss of information.


V

Virtual Private Network (VPN)A private data network that uses the Internet rather than phone lines to establishremote connections. Because users access corporate network resources through anInternet Service Provider (ISP) rather than a telephone company, organizations cansignificantly reduce remote access costs. A VPN also enhances the security of dataexchanges. In traditional firewall technology, message content can be encrypted, butthe source and destination addresses are not. In VPN technology, users can establisha tunnel connection in which the entire information packet (content and header) isencrypted and encapsulated.

VPNVirtual Private Network.

W

Web browserClient software that runs on a desktop PC and enables the user to browse the WorldWide Web or local HTML pages. It is a retrieval tool that provides universal accessto the large collection of hypermedia material available in the Web and Internet.Some browsers can display text and graphics, and some can display only text. Mostbrowsers can handle the major forms of Internet communication, such as FTPtransactions.

Web serverA server program that responds to requests for information resources from browserprograms. See also server.

WebSphere Application ServerAn IBM product that helps users develop and manage high-performance Web sites.It eases the transition from simple Web publishing to advanced e-business Webapplications. The WebSphere Application Server consists of a Java-based servletengine that is independent of both the Web server and its underlying operatingsystem.

World Wide Web (WWW)That part of the Internet where a network of connections is established betweencomputers that contain hypermedia materials. These materials provide informationand can provide links to other materials in the WWW and Internet. WWW resourcesare accessed through a Web browser program.


Glo

ssary

X

X.500A standard for putting into effect a multipurpose, distributed and replicated directoryservice by interconnecting computer systems. Jointly defined by the InternationalTelecommunications Union (ITU), formerly known as CCITT, and the InternationalOrganization for Standardization and International Electro-Chemical Commission(ISO/IEC).

X.509 certificateA widely-accepted certificate standard designed to support secure management anddistribution of digitally signed certificates across secure Internet networks. TheX.509 certificate defines data structures that accommodate procedures fordistributing public keys that are digitally signed by trusted third parties.

X.509 Version 3 certificateThe X.509v3 certificate has extended data structures for storing and retrievingcertificate application information, certificate distribution information, certificaterevocation information, policy information, and digital signatures.X.509v3 processes create time-stamped CRLs for all certificates. Each time acertificate is used, X.509v3 capabilities allow the application to check the validity ofthe certificate. It also allows the application to determine whether the certificate ison the CRL. X.509v3 CRLs can be constructed for a specific validity period. Theycan also be based on other circumstances that might invalidate a certificate. Forexample, if an employee leaves an organization, their certificate would be put on theCRL.


Index

Numerics4758 coprocessor

CA KeyStore 18CA support 9, 13encrypting CA key 43installing 44, 65integration with CA 43overview 13setting up 43storing CA key 44system requirements 23

Aabout this guide xiiiaccess controls

CA privileges 42Directory administrator privileges 43Directory privileges 42Directory root privileges 43RA Desktop privileges 6system 37

AIXaccess controls 37backing up 55backup utility 77bootstrap values 73, 92CD-ROM filesystem 54cfguser username 39, 76, 95file systems 53firewall considerations 37hardware configurations 26host name resolution 54installation guidelines 65installation roadmap 49installing 4758 coprocessor 65installing Directory server 58

AIX (continued)operating system level 23post-installation checklist 76security considerations 36server platforms 23setting up 50software requirements 23system image 55system users 54verifying filesets 51volume groups 53

AIX/6000 operating system 23architecture

LDAP protocol 16object stores 16PKIX CMP protocol 16

audience xivAudit subsystem

archiving 11database 10event masks 10installing on AIX 67installing on NT 90integrity checking 11KeyStore 18MACs 10overview 10

Bback up and recovery, key 14backup images

AIX 55, 77NT 82, 97

bootstrap valueson AIX 73on NT 92


Ind

ex

browser certificates 5bulk certificate issuance

description 14

CCD-ROM filesystem 54CD-ROMs, product 48CDSA 15certificate authority (CA)

4758 coprocessor 9, 13certificate revocation list 9cross-certification 9database 8DN entry 42hierarchy 9installing on AIX 67installing on NT 90integration with 4758 coprocessor 43issued certificate list 8KeyStore 18MACs 9overview 8protecting keys 43self-signed certificate 9serial number 8storing key in hardware 44

certificate extensionscommon 20customizing 20in Tivoli PKI 20private 20standard 20

certificate profilescustomizing 7described 5

certificate revocation list (CRL) 9certificate types 5certificates

bulk 14extensions 20self-signed CA 9trust hierarchy 9X.509v3 support 20

cfgPostInstall program 76cfguser username 39, 76, 81, 95checklist, installation planning 30checklists

post-installation on AIX 76post-installation on NT 95

Client applicationdocumentation for 104installing 66, 89system requirements 27

client authentication 39code signing 17Common Data Security Architecture

(CDSA) 15common extensions 20configuration

bootstrap values on NT 73, 92data collection form 77, 96Directory server 41DOS environment setup 96file systems in AIX 53firewalls 37overview of process 99preparing for on AIX 76, 99preparing for on NT 95, 99server architecture 46volume groups in AIX 53Web server 39

configuration data form 77, 96Configuration Guide

accessing 100overview 99

constraints, server configuration 46controlling server access 37conventions xviicreateconfig_start.sql file 73, 92CRL 9cross-certification 9cryptographic algorithms 47customer support xviiCustomization Guide


customizingcertificate extensions 20certificate profiles 7


customizing (continued)policy exits 8registration domains 7

Ddatabases

audit data 10CA data 8Directory data 12installation guidelines 55key back up and recovery 14overview 12registration data 4reserved names 38system requirements 23

datavg volume group 53DB2

advantages 12audit database 10CA database 8data encryption 18db2admin user 82Directory database 12installing 56installing on AIX 55, 56installing on NT 82reserved names 38system requirements 23

db2admin user 82defining disk partitions in AIX 53Directory administrator

DN entry 43KeyStore 18

Directory schema 42Directory server

access controls 42CA DN 42configuring 41Directory administrator DN 43installing on AIX 58, 67installing on NT 87, 90overview 12root DN 43

Directory server (continued)schema 42software requirements 23using with Tivoli PKI 88

disk partitionsdbfsadt 53dbfsibm 53dbfskrb 54dbfspkrf 53for AIX server 53

disk spacerecommended for AIX 26recommended for NT 26sizing guidelines 25, 53

distinguished names (DN), defined 42DN, defined 42DNS 41domestic encryption edition 47DOS environment 96

Eencryption algorithms 47enrollment

browser forms 5certificate types 5customizing 7notification letters 5overview 4policy exits 5preregistration 5system requirements 27

exportability, cryptographic algorithms 47

Ffile systems

CD-ROM 54for AIX server 53verifying 51

file systems, setting up AIX 53


Ind

ex

firewall security 37FirstSecure

integration with Policy Director 45Planning and Integration 45

Ggetting started

with configuration 99with customization 104with enrollment 104with RA administration 103with system administration 101with Tivoli PKI 101

groups, setting up AIX volume 53

Hhardware requirements

4758 coprocessor 23server, optional 23server, required 25Setup Wizard 26

hardware security model 13help

for enrollment 104for RA Desktop 103for Setup Wizard 100

hierarchy, CA 9host name, specifying TCP/IP 50host name resolution, AIX 54HSM device 13HTTP protocol 39httpd.conf file 76, 94HTTPS protocol 39

IIBM HTTP Server

installing on AIX 61installing on NT 84, 85

ICL 8installation

4758 coprocessor on AIX 44, 65AIX 50confirm NT system 88database software on AIX 55, 56database software on NT 82Directory server on AIX 58Directory server on NT 87HTTP Server on NT 85JDK on NT 84post-installation checklist, AIX 76post-installation checklist, NT 95server components on AIX 65server components on NT 89Web server on AIX 61Web server on NT 84WebSphere Server on AIX 62WebSphere Server on NT 86Windows NT 80

installation planning checklist 30installp program 67InstallShield program, server setup 90integrity protection

of audit records 11of CA records 9

international encryption edition 47IP aliases

described 39setting up on NT 87

IPSec certificates 5issued certificate list (ICL) 8

JJava

installing on AIX 60JDK

installing on NT 84


JDK (continued)required level 23

Kkey recovery 14KeyStores 18KeyWorks, installing 66

Llanguages

product differences 47supported 47

library, Tivoli PKI Web site xiv

Mmachine types

recommended for AIX 26recommended for NT 26

MACsfor audit records 10for CA records 9in KeyStores 18

masking audit events 10memory (RAM)


message signing 18migration

backup utility on AIX 77backup utility on NT 97

Nname, specifying TCP/IP host 50

national language supportcryptographic algorithms 47encryption editions 47language differences 47overview 47

Netfinity servers 25network security 36

Oobject stores 16operating systems

for AIX servers 23for NT servers 23for Setup Wizard 26, 33

Ppasswords

for AIX servers 23for NT servers 23for Setup Wizard 26, 33

physical security 36PKCS #12 file, recovering 14PKI, defined 15PKIX, defined 15PKIX CMP certificates 5planning checklist, installation 30Policy Director 45policy exits

customizing 8defined 5

post-installation configuration program 76, 94preface information xiiipreregistration

browser enrollment 5private extensions 20processors


product packaging 48


Ind

ex

protocolsHTTP 39HTTPS 39LDAP 16PKIX CMP 16SSL 39supported in Tivoli PKI 18

public Web server 39publications

Configuration Guide 99Customization Guide 104described xivRA Desktop Guide 103System Administration Guide 101Tivoli security products xviiiUser’s Guide 104

RRA Desktop

adding registrars 6documentation for 103help for 103installing 66, 89overview 6system requirements 27using 103

RA Desktop Guideaccessing 103overview 103

recovery, key 14registrars 6registration authority (RA)

certificate profiles 5client authentication 39customizing 7enrollment 4installing on AIX 67installing on NT 90overview 4policy exits 5RA Desktop 6Web server integration 11

registration database 4

registration domainscustomizing 7defined 4described 4

registration facilitycustomizing 7described 4

Release Notes 23reserved database names 38RISC System/6000 25roadmaps

AIX installation 49NT installation 79

root CA 9root DN entry 43rootvg volume group 53RS/6000 servers 25

SS/MIME certificates 5schema support 16secure Web servers 39security

firewalls 37physical 36system 36

self-signed CA certificate 9serial numbers 8server certificates 5server configurations 46server requirements

for AIX 26for Windows NT 26optional hardware 23optional software 23required hardware 25required software 23

Setup program, server software 90Setup Wizard

documentation for 99help for 100overview 99swing library 27


Setup Wizard (continued)system requirements 26

sizing disk partitions in AIX 53SMIT program 53, 67software requirements

4758 coprocessor 23Directory server 23distribution 48JDK 23product CD-ROMs 48server, optional 23server, required 23Setup Wizard 26Web browsers for Setup Wizard 27, 33Web server 23

SSL certificates 5SSL protocol 39standard certificate extensions 20standards

cryptographic 18supported in Tivoli PKI 18

summary ofconventions used xvii

support, Tivoli customers xviiswing library 27System Administration Guide


system architecturediagram 3server configurations 46

system diagram 3system image, configuring 55system requirements

4758 coprocessor 23browser enrollment 27DB2 23Directory 23hardware, server 25optional hardware, server 23optional software, server 23RA Desktop 27Setup Wizard 26software, server 23Web server software 23

system security 36

system sizingguidelines 25recommended for AIX 26recommended for NT 26

Tta-backup utility 77, 97TCP/IP host name, verifying 50temp directory 80Tivoli

Customer Support xviisecurity management Web information xviiisecurity product Web sites xviii

Tivoli PKIWeb information xviii

Tivoli PKI configuration user 81Tivoli PKI system

4758 cryptographic support 13Audit subsystem 10Certificate Authority server 8cryptographic standards 18database system 12described 1Directory server 12features 1installing on AIX 65installing on NT 89main server 4Registration Authority server 4system diagram 3Web server 11

trust hierarchy 9trust model

code signing 17data encryption 18KeyStores 18message signing 18


Ind

ex

UUnicode support 47URLs

HTTP server publications 41Tivoli PKI home page xivTivoli PKI library page xiv

User’s Guideaccessing 104overview 104

UTF-8 encoding 47

Vverify host name 50volume groups, setting up AIX 53VPN certificates 5

WWeb server

configuring 39DNS 41HTTP protocol 39HTTPS protocol 39installing on AIX 61installing on NT 84overview 11public host 39publications 41secure hosts 39software requirements 23SSL protocol 39

Web site forsecurity management information xviiiTivoli Customer Support xviiTivoli Public Key Infrastructure xviiiTivoli security products xviii

WebSphere Application Serverinstalling on AIX 61, 62installing on NT 84, 86

WebSphere Application server, upgraing 63

who should read xivWindows NT

access controls 37backup utility 97cfguser username 39, 81firewall considerations 37hardware configurations 26installation guidelines 89installation roadmap 79installing Directory server 87IP aliases 87operating system level 23post-installation checklist 95required settings 88security considerations 36server platforms 23setting up 80software requirements 23

XX.509v3 certificates 20


Printed in the United States of Americaon recycled paper containing 10%recovered post-consumer fiber.

GC32-0472-03

Documents

Tivoli Public Key Infrastructure - publib.boulder.ibm.compublib.boulder.ibm.com/tividd/td/PKI/GC32-0472-03/en_US/PDF/iaugmst.pdf · ¶ If you are a marketing manager, this book shows