INSTALLATION GUIDE. Managed PKI v7.2. Hardware/Software Requirements

(1)

I N S T A L L A T I O N G U I D E

Managed PKI v7.2

Hardware/Software Requirements

(2)

The information in this document belongs to VeriSign. It may not be used, reproduced or disclosed without the written approval of VeriSign.

DISCLAIMER AND LIMITATION OF LIABILITY

VeriSign, Inc. has made efforts to ensure the accuracy and completeness of the information in this document. However, VeriSign, Inc. makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein.VeriSign, Inc. assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document.

Further, VeriSign, Inc. assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. VeriSign Inc. reserves the right to make changes to any information herein without further notice.

TRADEMARKS

VeriSign, the VeriSign logo, the checkmark circle, and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.

This document may describe features and/or functionality that are not present in your software or your service agreement. Contact your account representative to learn more about what is available with this VeriSign product. If you need help using this product, contact customer support.

[email protected]

(3)

I N S T A L L A T I O N G U I D E

-iii VeriSign, Inc. March 10, 2008

Introduction

Managed PKI Hardware/Software Requirements describes what your organization

needs to set up VeriSign enterprise services.

About this Manual

Managed PKI Hardware/Software Requirements is designed for VeriSign Managed

PKI Services customers and installers who need to know what equipment to buy for their enterprise configurations. This document contains lists of the hardware and software you must have to install these programs. For details about how to configure and set up VeriSign products, see the installation guides that

accompany the respective products.

Note Read the appropriate hardware/software section for the product you want to install.

It is not possible for VeriSign to test every combination of third-party client, server, operating system, service pack, and so on. However, VeriSign does test the most common combinations and then, relying on the assertions of the vendors of these products, expands the list of supported combinations which are expected to work. For example, if a vendor asserts that a version of a Web browser is compatible with all versions of an operating system, VeriSign tests products and services against the Web browser on the most common version of the operating system and relies on the vendor’s statement to assume the Web browser works with all versions of the operating system.

If a problem arises with a combination which could not have been anticipated, VeriSign is committed to assisting you to work around the issue. If VeriSign cannot help you and cannot influence a timely patch to the third-party product by the vendor, we will add it to a list of unsupported combinations which will be available in our knowledge base and in this document.

(6)

Chapter 2, “Managed PKI Requirements,” lists the requirements for: – “Managed PKI Administrator Workstation” on page 8

– “End User Machine” on page 9 – “Managed PKI for SSL” on page 10 – “Digital Notarization” on page 11 – “Local Hosting” on page 11

– “VeriSign Registration Authority Service Module” on page 12 – “Certificate Validation Module (CVM)” on page 15

– “Certificate Parsing Module (CPM)” on page 15

– “Online Certificate Status Protocol (OCSP)” on page 16 – “Device Manufacturing Service (DMS)” on page 17 – “Outsourced Authentication” on page 17

Chapter 3, “Go Secure! Requirements,” lists the requirements for: – “Go Secure! for Microsoft Exchange v7.2” on page 19

– “Go Secure! for Web Applications v7.2” on page 21

Chapter 4, “Luna Hardware Security Module Support,” lists the Luna hardware security module (HSM) requirements for Managed PKI.

Compatibility Matrix for Single Digital ID

The Compatibility Matrix shows which different VeriSign enterprise services, software, and hardware can be used with the same Digital ID. The abbreviations used in the compatibility matrix are listed in Table 1-1.

Table 1-1 Abbreviations used in the Compatibility Matrix

RA VeriSign Registration Authority Service

(7)

-VeriSign, Inc. March 10, 2008 3

Find out if the products or services are compatible by looking at the intersection of the two items you are interested in. For example, if you want to check the features PTA (A), VeriSign Registration Authority Service (B), and Local Hosting (C) (ABC), check if AB (PTA row and VeriSign Registration Authority Service column) is compatible (the result is Yes). Next, check if AC is

compatible (Yes), and finally compare BC (Yes). A Yes indicates the two features compared work together and that a single Digital ID can be used for both the features to work. A No indicates incompatibility or these features are not designed to work together. A Req’d indicates the product requires VeriSign Registration Authority Service and Local Hosting.

Note The following numbered notes correspond to the numeric codes in the table.

1 Managed PKI for SSL and Managed PKI for SSL Premium Edition can only be issued under Public 2 IPSec issued under Private or shared (cobranded) CAs.

3 Registration Authority incorporates Automated Administration functionality, so a separate Automated Administration server is not needed.

4 Works with client certificates only.

5 Passcode, Manual Authentication, and VeriSign Registration Authority, including key escrow and recovery, are mutually exclusive.

6 There is no site kit for IPSec or Managed PKI for SSL.

7 Passcode can be made to work with VeriSign Registration Authority Service using customization. 8 CVM works with OCSP (CVM and OCSP are orthogonal).

9 Requires VeriSign Registration Authority, which requires Local Hosting. For Go Secure! for Microsoft Exchange, VeriSign Registration Authority and Local Hosting are required only if you are using Windows authentication, but optional otherwise. 10 PTA supports smart cards with the CAPI certificate store only.

11 File Encryption Feature requires PTA 2.x of higher.

Local Host

Managed PKI hosted at enterprise site

File Enc File Encryption feature of Go Secure! for Web Applications

PTA Personal Trust Agent in Go Secure! for Web Applications

DMS Device Manufacturing Service

GS! MSE Go Secure! for Microsoft Exchange

Smart Cards

Support for smart cards

Priv CA Private hierarchy BAS Business Authentication Service

Publ CA Public hierarchy OA Outsourced Authentication

MPKI SSL Managed PKI for SSL Client VPN

Client Virtual Private Network

Passcode Passcode Authentication CAS Consumer Authentication Service

OCSP Online Certificate Status Protocol

Win2k Int Windows 2000/XP integration with smart cards

CVM Certificate Validation Module MS EFS Microsoft Encryption File Service Integration

(8)

12 CPM and CVM work with native SSL client authentication. PTA 6.0 and higher have added support for native SSL client authentication.

13 VeriSign Registration Authority Service requires Local Hosting. VeriSign Registration Authority and Local Hosting do not require key escrow and recovery functionality.

14 Microsoft does not currently support EFS certificates on smart cards. To use EFS, the certificate must be on the local hard drive. You can use the same certificates for Win2k logon (on a smart card) and for EFS (copy stored locally).

15 Smart card CSP required for Win2k logon. Microsoft Base CSP required for EFS. PTA works in CAPI mode only (PTA cannot use VeriSign Certificate Store).

16 Not supported by Java PTA. Supported by ActiveX PTA without TPM functionality. 17 Not supported by Java PTA. Supported by ActiveX PTA, with or without TPM functionality.

(9)

RA Lo c a l Ho s t P T A GS ! MS E Pr iv CA Pu b l CA MP K I SSL Pa s s co d e OC SP CV M , CP M Fi le Enc D M S Sm a rt -ca rd s B A S O A C lient _VPN Win 2 k In t MS EF S RA Lo c a l Ho s t req' d (1 3 ) PT A ye s (1 5 ) ye s GS ! MS E ye s (9 ) ye s (1 5 ) ye s P ubl ic C A ye sy e s ye sy e s Pr iv C A ye sy e s ye sy e s P ubl C y y e sy e s ye sy e s n o ( 1) IP S e c n o (6 ) n o (6 ) ye s n o (6 ) ye s (2 ) ye s (2 ) MP K I S S L n o (6 ) n o (6 ) n o (4 ) n o (4 ) n o (1 ) ye s Pa s s -c o de no ( 7 ) yes ye s ye s (9 ) ye s ye s n o (4 ) OC SP ye s yes ye s (1 6 ) ye s (1 6) ye s yes no ye s CV M , CP M ye s ye s ye s (1 2 ) ye s ye s ye s n o ( 4 ) ye s ye s (8 ) Fi le En c yes ye s ye s (1 1, 15 ) yes ye s yes no ( 4 ) ye s no no D M S n on on o n o ye s ye s n on on o n on o Sm ar t ca rd s ye s ye s ye s (1 4 ) ye s ye s ye s n o ye s ye s ye s n o n o B A S n o ye s ye s n o ye s ye s n o n o ye s ye s n o n o ye s OA n o (9 ); req' d req' d (9 ) yes no ye s yes no n o ye s yes n o no ye s n o C lie n t V P N ye s ye s yes no ye s n o n o ye s ye s n o n o n o n o n o n o W in2k In t. req' d (9 ) req' d (9 ) ye s (1 5 ) ye s ye s ye s n o n o ( 5 ) yes ye s n o n o yes no no n o MS EF S yes ye s ye s (1 5 ) ye s ye s ye s n o n o ( 5 ) ye s ye s n o n o ye s (1 4 ) no no n o ye s

(10)

(11)

-Chapter 2

Managed PKI Requirements

This document describes the hardware and software that have been tested for use with Managed PKI. You may find that earlier versions of hardware and/or software and service packs work well with Managed PKI and its options. However, the versions in this document are the ones that are supported by VeriSign.

For the most current information about any Managed PKI version, see the Release Notes for that product.

Protocols and Ports

The numbers in the following list indicate port numbers.

End user - Local Hosting server: 443, https

Local Hosting server - VeriSign Registration Authority Service: 2003,

TCP/IP

VeriSign Registration Authority Service - Data sources:

– LDAP directory: 389, LDAP

– Secure LDAP: 636, LDAP with SSL – Database: ODBC

Local Hosting (with VeriSign Registration Authority Service) - VeriSign:

80, http

Figure 2-1 shows a common hardware configuration for a Managed PKI installation with Local Hosting, Go Secure! for Web Applications, and VeriSign Registration Authority Service functionality.

(12)

Internet Access for Authentication Methods

There are three types of authentication methods that use Local Hosting:

Manual Authentication (Local Hosting not required). Client/end user

needs Internet access to VeriSign for this to work. Local Hosting can be used.

Passcode Authentication (Local Hosting not required). Client/end user

needs Internet access to VeriSign for this to work. Local Hosting can be used.

VeriSign Registration Authority Service (Local Hosting required).

Client/end user does not need Internet access for this to work. The Local Hosting server needs access to the Authentication server and the Internet. A CGI on the Local Hosting server handles communication with VeriSign.

Managed PKI Administrator Workstation

This section describes hardware and software needed for the administrator’s machine for Managed PKI, Managed PKI for SSL, Managed PKI for SSL Premium Edition, and IPSec Managed PKI accounts.

(13)

Hardware

Intel-based PC, 866Mhz Pentium or faster

Note Lighter configurations will work but may not meet expected performance levels. In addition, adding more memory or a faster CPU to this configuration would probably not make a difference in performance.

512MB RAM

10MB free disk space

The administrator workstation must be able to access the Internet through port 443.

Required for USB Token Users CD-ROM drive

Aladdin token(s) and connector cable

One available USB port for connecting the token Supported Operating Systems and Browsers

The Administrator workstation requires the following browsers and operating systems. All browsers must be capable of 128-bit crypto, with JavaScript support enabled.

End User Machine

The end user machine requires the following browsers and operating systems. All browsers must be capable of 128-bit crypto, with JavaScript support enabled.

Table 2-1 Administrator workstation operating system/browser requirements

Operating System Browser

Windows XP Service Pack 2 (SP2) Internet Explorer 6.x, 7.x Windows Vista (Home Basic and

Ultimate)

Internet Explorer 7.0

Table 2-2 End-user workstation operating system/browser requirements

(14)

Note _{The end user machine must be able to access the Local Hosting server}

through port 443 and the Internet through port 443 if VeriSign Registration Authority Service is not being used.

Managed PKI for SSL

Administrator Workstation and End User Operating Systems Windows 2000 SP2 Windows 2003 Enterprise SP1 Windows ME Windows XP Supported Browsers Internet Explorer 6.x, 7.x Firefox 2.x Safari 2.x

Supported Servers for Managed PKI for SSL

Supported server vendors for Managed PKI for SSL are listed in Table 2-2.

Windows XP SP2 Internet Explorer 6.x, 7.x Firefox 2.x

Windows Vista (Home Basic and Ultimate)

Internet Explorer 7.0 Macintosh OS X 10.4 Firefox 2.x

Safari 2.x

Table 2-2 End-user workstation operating system/browser requirements

Figure 2-2 Supported server vendors for Managed PKI for SSL

Microsoft Netscape Apache

iPlanet Advanced Businesslink AliBaba (WarpGroup)

AOL/Navisoft Aventail Backweb

BEA WebLogic Beyond Software Brokat C2Net Apache SSL-US Cacheflow Compaq Consensus Control Data Systems Covalent

(15)

Digital Notarization

Digital Notarization is a VeriSign back-end service that is accessed from the Managed PKI for SSL Control Center or directly from VeriSign’s Web site. This requires no installation at the customer site.

Web Browser Requirements Internet Explorer 5.5, 6.x

Local Hosting

To provide SSL-enabled access to your locally-hosted enrollment pages, you should install the appropriate VeriSign server certificate. Although SSL is not required, it is highly recommended.

If used with VeriSign Registration Authority Service. Front-end Local

Hosting server must be able to send outbound http on port 80 without being prompted for a proxy user ID or password. Also, if Local Hosting is on the same machine as VeriSign Registration Authority Service, then VeriSign Registration Authority Service only requires a Web server.

Dascom Domino F5

Frontier Technologies Gradient Hummingbird

I/NET IBM Information Builders

Information Hyperlink Ingrian Networks Intel

Internet Factory Iserver JavaSoft

Microsoft Visual InterDev 6.0

Mirapoint Mitem

Nanoteq NetCentric Netscreen

Nokia Novell Open Market

OpenConnect Systems Oracle O'Reilly & Associates Process Software Purveyor Quarterdeck/StarNine

r3 Radnet Red Hat

Roxen SilverStream Software Sirius Software Sonic WALL Sterling Software Sun Microsystems

Tandem Tektonic Tempest Software

Tenon (WebTen) Thawte Consulting Unify

Unisys Unwired Planet Velocity Software

Volera Wall Data WebMethods

WebSphere WebSTAR Zeus

(16)

If used without VeriSign Registration Authority Service. The Local

Hosting server does not need outbound access, but the end user does (on port 443)

VeriSign Registration Authority Service Module

Requirements

VeriSign Registration Authority Service server: VeriSign Registration Authority Service host with same requirements as Local Hosting server host. (Can be on the same machine as Local Hosting server, although it is recommended that it be installed on a separate machine separated by a firewall.)

Local Hosting module.

Table 2-3 Supported Web Server Platforms

Web Server Application Operating System/Platform

Apache Web server 2.0.x Red Hat Enterprise Linux AS 4.0 Pentium, 866 Mhz or faster 100 MB free disk space 512 MB RAM

CD-ROM drive Sun ONE Web Server 6.0 SP5 Solaris 9:

Sparc Ultra 2 or faster 150 MB free disk space 512 MB RAM

CD-ROM drive Sun Java System Web Server 6.1 SP2 Solaris 10:

Sparc Ultra 2 or faster 150 MB free disk space 512 MB RAM

CD-ROM drive

Microsoft Internet Information Server (IIS) 6.0 Windows 2003 Enterprise R2:

Pentium, 866 Mhz or faster (dual core processors supported)

100 MB free disk space 512 MB RAM

(17)

LDAP/ODBC database for validating shared secret data and/or registration of user certificates. Can be two separate databases or one.

For some hardware token readers, the interface slot is a PCI slot. See Chapter 4, “Luna Hardware Security Module Support” for the specific token reader that applies.

VeriSign Registration Authority Service Server

Platform configurations for VeriSign Registration Authority Service servers are listed in Table 2-4.

Note Most customers are able to edit the configuration file for the VeriSign Registration Authority Service server to allow it to work with verification and registration data sources, and will therefore not need a compiler to customize the VeriSign Registration Authority Service code.

VeriSign Registration Authority Service Data Sources The Registration Authority data sources include the following:

Verification Registration

Table 2-4 Platform configurations for RA servers

Operating Systems Requirements Optional (Compilers)

Red Hat Enterprise Linux AS 4.0 Pentium, 866Mhz or faster

100MB free disk space 512MB RAM

CD-ROM drive

Optional, only if you want to customize: gcc 3.4.4 and g++ 3.4.4

libc-2.3.4.so for lib

Solaris 9 or 10 (32-bit) Sparc Ultra 5 or faster 150MB free disk space 512MB RAM

CD-ROM drive

Optional, only if you want to customize: Sun Forte

C/C++ Workshop 6.2, Update 2

Windows 2003 Enterprise R2 Pentium, 866Mhz or faster

CD-ROM drive

Optional, only if you want to customize: Microsoft

(18)

Key Recovery (each escrowed key requires approximately 6k of disk space), if implementing the key escrow and recovery option

Data sources should be replicated for redundancy, high availability, and fail-over.

LDAP Directory

VeriSign Registration Authority Service supports the following LDAP directories:

OpenLDAP 2.3 (Red Hat Enterprise Linux AS 4.0) Sun Java System Directory Server 5.2

Windows 2003 Enterprise Active Directory ODBC

DataDirect Connect for ODBC, Release 5.3 for Oracle 10g on Solaris 10 or Red Hat Enterprise Linux AS 4.0

DataDirect Connect for ODBC, Release 5.3 for Oracle 9i on Solaris 9 Microsoft SQL Server 2005

Local Hosting Server

The front-end Local Hosting server used with VeriSign Registration Authority Service must be able to send traffic though outbound ports 80 and 443 without being prompted for a proxy user ID or password. For configuration

(19)

Certificate Validation Module (CVM)

The CVM plug-in is installed on a Web server. To access the Certificate Validation Module from the Web, use any Web browser that supports SSL client authentication.

Certificate Parsing Module (CPM)

VeriSign provides two CPM implementations:

Server plug-in version (NSAPI or SAF). The server plug-in can be used with any other server plug-ins and extensions such as servers, javascript, CGI programs in any programming language (csh, Perl, C, C++), NSAPI modules, and so on.

Table 2-5 Platform Requirements

Web Server Plug-in Requirement Operating System/Platform

Apache 2.0.x Red Hat Enterprise Linux AS 4.0 10MB free disk space

128MB RAM CD-ROM drive HP-UX 11i (11-11):

CD-ROM drive Sun ONE Web Server 6.0 SP5 Solaris 9:

Sparc Ultra 2 or faster 10MB free disk space 128MB RAM

CD-ROM drive

Microsoft ISA 2006 Windows 2003 Enterprise R2:

Pentium, 866Mhz or faster (dual core processor supported)

CD-ROM drive Microsoft IIS 6.0

(20)

Toolkit

Both support the following platforms:

Server Plug-in

CPM is available as a server plug-in for SunONE Web Server 6.0.

VeriSign provides example CGI programs that use the server plug-in for: C and C++ for Bourne shell and C shell

Perl for Bourne shell and C shell.

Online Certificate Status Protocol (OCSP)

Online Certificate Status Protocol (OCSP) requires no installation at the customer site besides the CVM plug-in, which can be modified to access OCSP. Browser Requirements

Any Web browser that supports SSL client authentication.

Table 2-6 Platform Requirements

Web Server Plug-in Requirements Platforms

Sun ONE Web Server 6.0 SP5 Solaris 9:

CD-ROM drive

Microsoft IIS 6.0 Windows 2003 Enterprise R2: Pentium, 866Mhz or faster 10MB free disk space 128MB RAM

(21)

Device Manufacturing Service (DMS)

DMS enables a cable modem or device manufacturer to send batch requests for certificates to VeriSign. The manufacturer then downloads the certificates. DMS Requirements (NT only)

NT 4.0 English version 256 MB RAM or higher 5GB free disk space Luna token reader DMS CD

Outsourced Authentication

Outsourced Authentication is a Managed PKI option that works with the same hardware and software that a customer receives with VeriSign Registration Authority Service. However, Outsourced Authentication requires a customer or VeriSign PSO to make some programming modifications to the VeriSign Registration Authority Service source code (included on the Managed PKI CD). This enables the customer's authentication logic to be used to decide when to reject an enrollment request or pass it on as a pending request.

Requirements: Local Hosting

VeriSign Registration Authority Service (must be customized for Outsourced Authentication)

The Managed PKI options you can use with Outsourced Authentication are listed in Table 2-7.

Note If you have contracted for the services of VeriSign’s Professional Services Organization (PSO), PSO will handle all installation and configuration issues as part of your initial service contract. This includes configuring VeriSign Registration Authority Service to work with Outsourced Authentication, enrolling you for your first certificate, assisting with running the Policy Wizard to set up the initial Managed PKI configuration, and creating your end users’ lifecycle pages.

(22)

The Managed PKI features you can use with Outsourced Authentication are listed in Table 2-7.

Table 2-7 Features supported with Outsourced Authentication

Managed PKI add-ons and options Required Optional Not supported

Local Hosting X

VeriSign Registration Authority Service

X

Manual Authentication Authentication should be done at VeriSign or through VeriSign Registration Authority Service. However, Manual Authentication has not been disabled.

Passcode Authentication X Go Secure! for Web Applications

(PTA)

X

Go Secure! for Microsoft Exchange X

CVM X

CPM X

(23)

-Chapter 3

Go Secure! Requirements

Go Secure! requirements are listed in the following sections.

Go Secure! for Microsoft Exchange v7.2

Go Secure! for Microsoft Exchange v7.2 works with specific combinations of versions of Microsoft Exchange and Outlook, as detailed below.

Managed PKI Installation Requirements

Table 3-1 lists the Managed PKI requirements for Go Secure! for Microsoft Exchange.

Local Hosting Server Requirements

If you are locally hosting, you must install the Go Secure! for Microsoft Exchange site kit on the same server as your Local Hosting site kit. If you are also implementing the optional VeriSign Registration Authority Service, see “VeriSign Registration Authority Service Module” on page 12.

Table 3-1 Managed PKI options used with Go Secure! for Microsoft Exchange

CD Local Hosting Authentication Methods VeriSign Registration Authority Service Required:

Managed PKI Local Hosting CD

Go Secure! for Microsoft Exchange CD

Optional:

Go Secure! for Web Applications CD

Optional Manual Authentication Passcode

Authentication VeriSign Registration Authority Service Windows authentication (Requires the VeriSign Registration Authority Service module)

(24)

Exchange Server Requirements

The Exchange server can be Windows 2003 Enterprise R2 server with the following specifications:

Pentium, 866Mhz or faster (dual core processors supported) 100MB free disk space

256MB RAM

Microsoft Exchange Server 2003 Enterprise Outlook 2003

Domain controller is Windows 2003 with Active Directory, with either – No Active Directory Connector (ADC), or

– Active Directory Connector replicating data between the Active Directory and Exchange directory.

CAUTION Microsoft Exchange Server and the Windows domain controller should be on separate machines.

Exchange Server 2003

The Exchange Server schema must be such that the User object on the Active Directory includes the following LDAP attributes:

cn alias rfc822Name userCertificate userSMIMECertificate legacyExchangeDN directoryName Directory Replication

If multiple Exchange Servers are involved, then directory replication must be enabled in such a way that all of the above mentioned attributes are replicated. Each of the above mentioned LDAP attribute names have a different name as seen from the Exchange Administrator console. For example, the LDAP attribute userCertificate is referred as X509-Cert in Exchange Administrator console.

(25)

End User Mailboxes

All users who are going to enroll for a Go Secure! for Microsoft Exchange certificate must have a mailbox created on an Exchange Server. The mailbox must have a valid “Primary NT Account” value, as displayed in the mailbox property sheet through the Exchange Administrator Console.

End User Machine Requirements

Table 3-2 lists the Managed PKI end user machine operating system and browser requirements for Go Secure! for Exchange 7.2. Additional requirements are listed following the table.

Outlook 2003

Windows Installer version 2.x

MSI version 2.0 packages supplied on Go Secure! for Microsoft Exchange CD or on the Download page of the Control Center.

Go Secure! for Web Applications v7.2

Managed PKI Installation Requirements

Table 3-3 lists the Managed PKI requirements for Go Secure! for Web Applications v7.2.

Table 3-2 Managed PKI end user machine requirements for Go Secure! for Exchange

Windows XP SP2 Internet Explorer 6.x or 7.0 Windows Vista (Home Basic or Ultimate) Internet Explorer 7.0

Table 3-3 Managed PKI options used with Go Secure! for Web Applications

CD Local Hosting Authentication Options VeriSign Registration Authority Service Managed PKI Local Hosting CD Go Secure! for Web Applications CD

Optional Manual Authentication Passcode Authentication VeriSign Registration Authority Service

(26)

Table 3-4 lists the application server requirements.

WebSphere and WebLogic Application Server Integration The PTA application server integrates with

IBM WebSphere Application Server 3.5 WebLogic server 6.0 and above.

Apache 2.0.x (on Red Hat Enterprise Linux AS 4.0 only)

Supported hardware platforms and Web server software are shown in Table 3-4.

Note _{If you use the PTA for transaction signing and you want to customize}

the authentication server code, install the appropriate development environment as described on page 13.

Netegrity SiteMinder Integration

The PTA server implements a custom authentication scheme that integrates with Netegrity’s SiteMinder 5.0. Supported software platforms are Solaris 8, 9, or 10, or Windows 2000.

Table 3-4 Application Server Requirements

Web Server Platform

Apache 2.0.x Red Hat Enterprise Linux AS 4.0 10MB free disk space

128MB RAM CD-ROM drive Sun Java System Web Server 6.1 SP2 Solaris 10:

CD-ROM drive

Microsoft IIS 6.0 Windows 2003 Enterprise R2:

Pentium, 866Mhz or faster (dual core processors supported for ActiveX PTA) 10MB free disk space

128MB RAM CD-ROM drive

(27)

Signature Verification API Supported

Windows Server 2003 implements a COM version of Signature Verification API. This allows enterprises to verify digital signatures in the MicrosoftASP environment. This support includes the standard capabilities of the PTA server suite such as chain validation and revocation checking based on CRLs and OCSP.

For Hosting Windows 2003 MSI Packages Windows 2003 Domain Controller

Active Directory to specify the Group policies. For specific information, see Microsoft Technet at

http://www.microsoft.com/technet.

End User Client Requirements

There are two ways to install PTA on a client machine for Internet Explorer cab file or MSI package. If you use the MSI package, then use Windows Installer 1.x. ActiveX-based PTA

ActiveX-based PTA works only for browsers using Microsoft Windows operating systems.

Java-based PTA

Java PTA has been tested on the following platforms, with browsers using Java plug-in 1.4.2.

Table 3-5 ActiveX-based PTA Requirements

Windows XP SP2 Internet Explorer 6.x or 7.0 Windows Vista (Home Basic and

Ultimate)

Internet Explorer 7.0

Table 3-6 Java-based PTA Requirements

Solaris 10 Mozilla 1.7.1

Windows XP SP2 Internet Explorer 6.x or 7.0 Windows Vista (Home Basic and

Ultimate)

(28)

(29)

-Chapter 4

Luna Hardware Security Module

Support

VeriSign supports the following hardware security modules (HSMs) with Managed PKI, for use with the VeriSign Registration Authority Service module.

Token Readers

For SafeNet Luna 2, Luna RA, and Luna PCM tokens, Managed PKI supports only the SafeNet Luna Dock reader, which is an external reader that requires a hardware PCI slot. The reader requires the driver version listed here. Older models of token readers are not supported, and earlier versions of the driver are not supported.

(30)

Luna HSMs

Managed PKI supports the following hardware for signing:

Managed PKI supports the following hardware for key generation:

Note IBM Netfinity is incompatible with Luna token readers.

Table 4-1 Supported HSMs for signing

HSM type Platform Driver version Firmware version

SafeNet Luna 2 Windows 8.1 3.9

SafeNet Luna SA Solaris, Linux 3.2 4.1.0 SafeNet Luna PCI (model

1200)

Windows 1.2 4.1.0

SafeNet Luna PCM Windows 2.1 4.5.1

Table 4-2 Supported HSMs for key generation

HSM type Platform Driver version Firmware version

SafeNet Luna RA Windows 8.1 3.9

SafeNet Luna SA

(Password Authentication mode)

Solaris, Linux 3.2 4.1.0

SafeNet Luna PCI (model 1200)

Windows 1.2 4.1.0

(31)

- - - Index

Index

A

ActiveX PTA4

B

browsers

Certificate Validation Module15

Digital Notarization11

Managed PKI administrator worksta-tion9

Managed PKI end user9

Managed PKI for SSL10

Online Certificate Status Protocol16

Business Authentication Service compatibility matrix3

C

Certificate Parsing Module15

compatibility matrix2

Outsourced Authentication with18

Certificate Validation Module compatibility matrix3

platform requirements15, 16

plug-in Web server availability15

Client Managed PKI

see Managed PKI

compilers

Red Hat Linux13

Solaris13

Windows 200013

Consumer Authentication Service compatibility matrix3

CPM

see Certificate Parsing Module

CVM

see Certificate Validation Module

D

Device Manufacturing Service17

DMS

see Device Manufacturing Service

documentation2

E

end users

Exchange server requirements for21

Go Secure! for Web Applications cli-ent requiremcli-ents23

Managed PKI requirements for9

protocols and ports7

Exchange server20

F

File Encryption feature compatibility matrix3

G

Go Secure! for Microsoft Exchange19

Outsourced Administration with18

Go Secure! for Web Applications21

Managed PKI requirements for21

I

IPSec Managed PKI

administrator workstation8

J

Java PTA23

L LDAP

see Lightweight Directory Access

Protocol

Lightweight Directory Access Protocol protocols and ports7

VeriSign Registration Authority Ser-vice with14

(32)

Local Host

Local Hosting12

Go Secure! for Microsoft Exchange with19

Go Secure! for Web Applications with

21

VeriSign Registration Authority Ser-vice with12

Luna token25

Luna token reader25

M

Managed PKI

Managed PKI for SSL compatibility matrix3

Managed PKI for SSL administrator workstation8

Managed PKI for SSL Premium Edi-tion administrator workstaEdi-tion8

Managed PKI requirements administrator workstation8

Go Secure! for Microsoft Exchange

19

Manual Authentication8, 18

manuals see documentation MSI package23 N Netegrity SiteMinder22 O OA

see Outsourced Authentication

ODBC

operating system

Managed PKI end user machine9

VeriSign Registration Authority Ser-vice13 Outsourced Authentication17 compatibility matrix3 P Passcode Authentication8 compatibility matrix3

19

Personal Trust Agent compatibility matrix3

requirements for21

PTA

see Personal Trust Agent

R

requirements

Certificate Parsing Module15

Device Manufacturing Service17

Exchange server20

19

local hosting12

Luna tokens and reader25

Managed PKI end user machine9

Managed PKI for SSL administrator workstation10

Online Certificate Status Protocol16

VeriSign Registration Authority Ser-vice12

S

(33)

- - - Index

T

token reader

see Luna token reader

tokens

see Luna token

V

VeriSign Registration Authority Ser-vice12

W

Web servers

Certificate Validation Module15, 16

Local Hosting11, 12

WebLogic Application Server22

WebSphere Application Server22

Windows authentication

(34)

INSTALLATION GUIDE. Managed PKI v7.2. Hardware/Software Requirements

Managed PKI v7.2

Contents

Introduction

About this Manual

Related Managed PKI Documents

Compatibility Matrix for Single Digital ID

Managed PKI Requirements

Protocols and Ports

Internet Access for Authentication Methods

Managed PKI Administrator Workstation

End User Machine

Managed PKI for SSL

Local Hosting

VeriSign Registration Authority Service Module

Certificate Validation Module (CVM)

Certificate Parsing Module (CPM)

Online Certificate Status Protocol (OCSP)

Device Manufacturing Service (DMS)

Outsourced Authentication

Go Secure! Requirements

Go Secure! for Microsoft Exchange v7.2

Go Secure! for Web Applications v7.2

Luna Hardware Security Module

Support

Token Readers

Luna HSMs

Index