Installation and Configuration Guide

(1)

Entrust Managed Services PKI™

Auto-enrollment Server 7.0

Installation and Configuration Guide

Document issue: 1.0

Date of Issue: July 2009

(2)

Entrust is a trademark or a registered trademark of Entrust, Inc. in certain countries. All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. in certain countries. All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries.

This information is subject to change as Entrust reserves

Obtaining technical support

For support assistance by telephone call one of the numbers below:

• 1-877-754-7878 in North America

• 1-613-270-3700 outside North America You can also email Customer Support at:

[email protected]

(3)

About Auto-enrollment Server . . . .7

Overview . . . 8

Auto-enrollment Server system components . . . 9

Tier 1 . . . 10

Tier 2 . . . 10

Tier 3 . . . 11

How the auto-enrollment process works . . . 13

Auto-enrollment request . . . 13

Choice of certificate type and role . . . 13

Auto-enrollment decision procedure . . . 14

Enrollment and recovery queues for administrator approval . . . 14

How the distinguished name (DN) is created . . . 16

How the subjectAltName is created . . . 17

How the subjectAltName is created for domain controller certificates 17

Preparing for installation . . . .19

Planning your installation . . . 20

What you should have from Entrust for the pre-installation . . . 21

Pre-installation tasks . . . 21

Step 1: Installing the Web Server . . . 22

Step 2: Obtaining a Web server certificate . . . 24

Step 3: Assigning the certificate to your Web server . . . 42

Step 4: Enabling SSL on your Web server . . . 51

Step 5: Configuring integrated Windows authentication . . . 56

Step 6: Testing the SSL-enabled Web server . . . 60

Step 7: Obtaining a certificate for Auto-enrollment Server . . . 61

(4)

Installing Auto-enrollment Server . . . .73

What you should have from Entrust for the installation of Auto-enrollment Server . . . 73

Installing Auto-enrollment Server . . . 74

Checking the Auto-enrollment Server installation . . . 86

Verify adminservice.log file . . . 86

Verify the Web server is passing requests to Auto-enrollment Server 86

Verify installation log file . . . 87

Verify configuration log file . . . 87

Customizing the Auto-enrollment Server . . . .89

What you should have from Entrust for Auto-enrollment Server customizations . . . 90

Customizing the certificate type and user role . . . 91

Configuring a default certificate type . . . 91

Configuring a default User Role . . . 92

Configuring the client information setting . . . 93

Customizing certificate lifetimes . . . 96

Customizing a user’s Distinguished Name (DN) . . . 97

Customizing a search base for enrolling clients . . . 98

Configuring the DNS name . . . 99

Configuring queuing . . . .101

Enabling queuing in Auto-enrollment Server . . . 102

Configuring the ae-defaults.xml file to queue requests . . . 102

Configuring the queuing monitor . . . 103

Approving or rejecting requests in Administration Services . . . 105

Troubleshooting . . . .109

(5)

5

Time synchronization . . . 115

Error messages . . . 116

Glossary of terms . . . 117

Writing your own DN Builder implementation code . . . 131

DN Builder examples . . . 132

Customizing the DN builder code . . . 133

DistinguishedNameBuilderDefaultImp . . . 135

Customizing the default DN Builder implementation . . . 135

Constructor Summary . . . 136

Method Summary . . . 136

Constructor Detail . . . 139

Method Detail . . . 139

ActiveDirectoryUserInfo . . . 149

Method Summary . . . 149

Method Detail . . . 149

Index . . . 153

(6)

(7)

7

1

About Auto-enrollment Server

The Entrust Authority™ Auto-enrollment Server creates certificates and sends these transparently to an Entrust Entelligence™ Security Provider for Windows client.

The following topics provide an introduction to Auto-enrollment Server:

• “Overview” on page 8

• “Auto-enrollment Server system components” on page 9

• “How the auto-enrollment process works” on page 13

(8)

Overview

The Auto-enrollment Server simplifies certificate deployment by providing automatic enrollment of keys and certificates to users and computers. Enrollment is also transparent to the administrator (the level of transparency to the end-user depends on the user key store selected for key protection).

The Auto-enrollment Server communicates with the Security Provider for Windows client to automatically deliver a certificate to Windows-based users or computers.

Auto-enrollment Server can provide a certificate to the following Windows-based machines:

• Laptops and desktops

• Microsoft Windows IIS Web browsers and servers

• Domain Controllers

• Authentication clients and servers (RRAS, IAS, VPN, Radius Servers)

Note: The Security Provider for Windows client must be online at the time of the initial auto-enrollment request, in order for the request to be processed by Auto-enrollment Server.

When the enrollment request is sent from the Security Provider for Windows client to Auto-enrollment Server, the enrollment may be processed automatically or the enrollment may be queued. Queuing is an optional feature, which takes an enrollment request and leaves it at the Auto-enrollment Server for approval by an administrator. In the case of an automatically processed request, Auto-enrollment Server contacts the Certification Authority (CA) for approval. Once the

auto-enrollment request has been automatically approved or approved by the administrator in the case of queuing, the authorization code and reference number are passed to the Security Provider for Windows client. The Security Provider for Windows client uses the authorization code and reference number to complete the enrollment process.

(9)

9 About Auto-enrollment Server

Report any errors or omissions

Auto-enrollment Server system components

The following figure provides an illustration of the Auto-enrollment Server system components in a Three-Tier client/server environment:

Figure 1: Auto-enrollment Server system components

(10)

Tier 1

Entrust Entelligence Security Provider for Windows (Security Provider) is known as the tier 1 client component in this three-tier client/server environment.

Note: You host the Security Provider client.

Entrust Entelligence™ Security Provider for Windows

Entrust Entelligence Security Provider for Windows (Security Provider) is the client that transparently communicates with Auto-enrollment Server to enroll certificates.

Auto-enrollment Server transparently issues certificates to a user or computer through Security Provider.

Auto-enrollment is enabled per-CA by configuring the following registry values:

• AutoEnrollUserURL

• AutoEnrollMachineURL

You can configure the registry values in the Windows registry of the machine in which Security Provider is installed or through Security Provider’s Custom Installation wizard (Specify Entrust PKI Information page). For more information on adding these values, see the Entrust Entelligence Security Provider for Windows Administration Guide.

A CA can have user auto-enrollment and machine auto-enrollment enabled for it.

If the AutoEnrollUserURL value is present, user auto-enrollment is enabled for that CA. If the AutoEnrollMachineURL value is present, machine auto-enrollment is enabled for that CA. Both values support a list of Auto-enrollment Server URLs in case connections to multiple Auto-enrollment Servers should be attempted. If a

connection to the first Auto-enrollment Server does not work, the second server URL is tried, and so on. Once a connection is established with one Auto-enrollment Server, connections to other servers are not attempted.

Tier 2

The Microsoft Internet Information Services (IIS) Web Server and Tomcat Application Server are known as tier 2 in the three-tier client/server environment. The Web Server and Application Server provide the middle-tier processing between Security Provider and the CA.

(11)

Microsoft Internet Information Services (IIS) Web Server

Security Provider for Windows communicates with the Microsoft IIS Web Server through a firewall. SSL encryption must be used on the Web Server to secure the connection between Security Provider and Auto-enrollment Server. Security Provider communicates directly with an SSL-enabled Microsoft IIS Web Server over HTTPS.

The Microsoft IIS Web Server is configured to authenticate Security Provider through Windows Integrated Authentication using the NTLM or Kerberos authentication methods.

Tomcat Application Server

The Tomcat Application Server is connected directly to the Microsoft IIS Web Server.

The Microsoft IIS Web Server communicates through a Tomcat isapi filter to a JK2 Connector in the Tomcat Application Server. The JK2 Connector passes information to the Auto-enrollment Server located in the Tomcat Application Server.

Tier 3

Entrust Managed Services PKI certification authority (CA) is known as the tier 3 server component in a three-tier client/server environment.

Note: Entrust Managed Services PKI hosts the CA.

Entrust Managed Services PKI certificate authority

Entrust Managed Services PKI runs the certification authority (CA) for the Auto-enrollment Server system. The main functions the CA is to:

• create certificates for all public keys

• create encryption key pairs

• provide a managed, secure database of information that allows the recovery of encryption key pairs

• enforce the security policies defined by your organization

• publish Certificate Revocation Lists (CRLs)

• publish Policy Certificates

Auto-enrollment Server must be able to communicate with the XML Administration Protocol (XAP) Server running as part of the CA. Communication between these components is XAP over HTTPS.

(12)

Database

The database is under the control of Entrust Managed Services PKI and acts as a secure storage area for all information related to the CA. The database stores:

• the CA signing key pair (this key pair may be created and stored on a separate hardware device rather than the database)

• user or computer status information

• the encryption key pair history (including all decryption private keys and encryption public key certificates) for each user and computer

• the verification public key history (including all verification public key certificates) for each user and computer

• the validity periods for signing key pairs, encryption key pairs, and system cross-certificates

• Security Officer and administrator information

• CA policy information

• revocation information

Note: All information stored in the database is secured to protect against tampering.

(13)

How the auto-enrollment process works

The following sections provide a high-level view of the auto-enrollment process:

• “Auto-enrollment request” on page 13

• “Choice of certificate type and role” on page 13

• “Auto-enrollment decision procedure” on page 14

• “Enrollment and recovery queues for administrator approval” on page 14

Auto-enrollment request

Security Provider sends an auto-enrollment request over SSL to the Microsoft IIS Web Server. Windows Authentication is performed, using the NTLM or Kerberos

authentication protocol, and this determines the Windows domain and name of the remote client that sent the request.

The Auto-enrollment Server builds a distinguished name (DN) from the Windows domain and user name found in the auto-enrollment request. There may be messages sent from the Auto-enrollment Server to the directory to determine the first and last names.

An authentication servlet in the Tomcat Application Server receives the request through an ISAPI connector. The client is authenticated primarily through

membership in a Windows domain name. The user’s Windows domain and account name must be mapped by the server to an X.500 distinguished name (DN). The default mapping creates a common name from the user’s Windows domain login name. This is received by the authentication component.

The administrator can choose to customize the distinguished name (DN) builder implementation, instead of using the default. The DistinguishedNameBuilder interface can be used to define your own mapping procedure. Refer to the section

“Customizing a user’s Distinguished Name (DN)” on page 97.

Choice of certificate type and role

The choice of certificate type and user role is made by Auto-enrollment Server and is configurable in the ae-defaults.xml file. Refer to the section “Customizing the certificate type and user role” on page 91 for further information.

When Auto-enrollment Server decides the Certificate Type and Role that will be used for the enrollment, it communicates this to the CA so the appropriate identity is created.

(14)

Auto-enrollment decision procedure

When the auto-enrollment/recovery request is sent from Security Provider to Auto-enrollment Server, Auto-enrollment Server sends one of the following three types of responses to Security Provider:

• Approval response

A response that includes an authorization code and reference number Security Provider can use to communicate with the CA, and enroll/recover the user or computer. The response also indicates the validity period of these activation codes and whether an enrollment or recovery should be

performed.

• Queued response

A response which indicates that the request has been queued for administrative approval.

• Rejection response

A response that includes an error code and reason indicating why the auto-enrollment/recovery cannot occur.

Once Security Provider has the approval response, communication with

Auto-enrollment Server is complete. The enrollment or recovery is then performed through direct communication with the CA.

Enrollment and recovery queues for administrator approval

When an auto-enrollment request is sent from Security Provider to Auto-enrollment Server, Auto-enrollment Server can be configured to automatically process the request immediately or queue the enrollment request. Queuing is an optional feature and occurs when an enrollment request waits at Auto-enrollment Server for approval by an administrator. Refer to the chapter “Configuring queuing” on page 101 for further information on configuring queuing.

When an auto-recovery request is sent from Security Provider to Auto-enrollment Server, Auto-enrollment Server can be configured to automatically process the request immediately, queue the recovery request, or reject the request immediately.

For further information on what triggers an auto-recovery request, refer to the Entrust Entelligence Security Provider for Windows Administration Guide.

When queuing is available, all auto-recovery requests are placed in the queue and the administrator will decide if an auto-recovery should be granted or denied. When

(15)

Denied

• when the signing certificate is revoked

• when updates are not allowed at the CA for this user

When an auto-recovery is denied, Auto-enrollment Server returns an error to Security Provider. When the error message displays to the end user, explaining that the auto-recovery attempt failed, the user must inform their administrator that a recovery is required. To enable key recovery for the user, the administrator has to set the user for Key Recovery at the CA. This switches the user from the Active state into the Key Recovery state at the CA, and an auto-recovery is automatically granted by

Auto-enrollment Server.

(16)

How the distinguished name (DN) is created

Auto-enrollment Server may create a distinguished name (DN) for the user or computer if a DN does not already exist in the directory. The default behavior of the DN builder implementation in the Auto-enrollment Server is to take the user or computer name and the domain name to create a DN for this user or computer. If the DN already exists in the directory, most likely when Active Directory is used, it will not be created. If the DN does not already exist in the directory, the DN is added.

When the DN is created for a user or computer, it is created differently based upon the directory and whether it is a DN for a user or computer.

LDAP Directory

The DN of the user or computer is created by using the user or computer name, from the Windows domain name and the DN of the CA.

For example, assume the following:

• computer name is yottbsmith

• the Windows user is bsmith

• the domain name is SOMEDOMAIN

• the complete domain name is SOMEDOMAIN.abc.com

• the CA DN is ou=SomeUnit, o=abc, c=ca

The user being auto-enrolled will have the following default Subject name:

cn=bsmith SOMEDOMAIN, ou=SomeUnit, o=abc, c=ca

The computer being auto-enrolled will have the following default Subject name:

cn=bsmith$ SOMEDOMAIN, ou=SomeUnit, o=abc, c=ca

When your organization requires you to create DNs for your users or computers in a different manner than the above example, you may choose to customize the default DN builder implementation. Refer to the section “Customizing a user’s Distinguished Name (DN)” on page 97 for further details.

Active Directory

The DN for the user or computer in Active Directory is used for the DN in Entrust Managed Services PKI. There are no exceptions and this cannot be customized.

Note: This is advanced configuration. Contact your Entrust representative for more information.

(17)

• the complete domain name is SOMEDOMAIN.abc.com

• the machine with Active Directory running on it (the domain controller) has the machine name SOMESERVER

• the CA DN is cn=SOMESERVER, cn=AIA, cn=Public Key Services, cn=Services, cn=Configuration, dc=SOMEDOMAIN, dc=abc, dc=com

The user being enrolled will have the following default Subject name:

cn=bsmith, cn=Users, dc=SOMEDOMAIN, dc=abc, dc=com The computer being auto-enrolled will have the following Subject name:

cn=yottbsmith, cn=Computers, dc=SOMEDOMAIN, dc=abc, dc=com

How the subjectAltName is created

Auto-enrollment Server may create a subjectAltName for the user or computer.

The default behavior of the DN builder implementation in Auto-enrollment Server, is to add a subjectAltName for computers and not to add one for users.

Auto-enrollment Server takes the computer name and domain and builds the dNSName, for example, dNSName=computer_name.complete_domain_name.

This value is provided when the user or computer is being added to the CA. Entrust Managed Services PKI then adds the dNSName to the SubjectAltName extension of the certificate.

For example, assume the following:

• computer name is yottbsmith

• the domain name is SOMEDOMAIN

• the complete domain name is SOMEDOMAIN.abc.com The dNSName of the above example is:

dNSName=yottbsmith.SOMEDOMAIN.abc.com

Auto-enrollment Server does a dNSName lookup to get the domain. If the dNSName lookup fails, as a backup you can customize the ae-defaults.xml file to build a dNSName. Refer to the section “Configuring the DNS name” on page 99 for further instructions.

How the subjectAltName is created for domain controller

certificates

Certificates for domain controllers always have extra information added to the subjectAltName. This complies with the “Requirements for Domain Controller Certificates from a Third-Party CA” (article ID 291010) as documented by Microsoft.

In addition to the dNSName, the directory must include the globally unique identifier (GUID) of the domain controller object. The directory stores the GUID in the

(18)

subjectAltName as an Other Name, and it is DER encoded. An example of a subjectAltName with the globally unique identifier (GUID) of the domain controller object in the directory and the Domain Name System (dNSName) is:

Other Name: 1.3.6.1.4.1.311.25.1 = ac 4b 29 06 aa d6 5d 4f a9 9c 4c bc b0 6a 65 d9

DNS Name=ComputerNameOfDomainController.SOMEDOMAIN.abc.com When Security Provider creates the auto-enrollment request message for Auto-enrollment Server, it checks if the computer is a domain controller. If yes, it queries the Active Directory and asks for the GUID of the domain controller. Security Provider for Windows will then include the following two pieces of information in the request message to the Auto-enrollment Server:

• confirmation that the computer is a domain controller

• the GUID

Passing this information in the request message allows Auto-enrollment Server to set extra information in the subjectAltName when necessary.

(19)

19

2

Preparing for installation

This chapter describes how to prepare for the Auto-enrollment Server installation.

Read this chapter if you are the system administrator installing and configuring machines hosting the Auto-enrollment Server components.

This chapter contains the following sections:

• “Planning your installation” on page 20

• “Step 1: Installing the Web Server” on page 22

• “Step 2: Obtaining a Web server certificate” on page 24

• “Step 3: Assigning the certificate to your Web server” on page 42

• “Step 4: Enabling SSL on your Web server” on page 51

• “Step 5: Configuring integrated Windows authentication” on page 56

• “Step 6: Testing the SSL-enabled Web server” on page 60

• “Step 7: Obtaining a certificate for Auto-enrollment Server” on page 61

(20)

Planning your installation

The following flowchart illustrates the pre-installation steps required for Entrust Managed Services PKI customers installing Auto-enrollment Server.

Figure 2: Pre-installation flowchart

Attention: Auto-enrollment Server is an add-on that works together with Entrust Entelligence Security Provider (Security Provider). As such, you must already have Security Provider installed at this time. Security Provider and related documentation is available for download from Entrust TrustedCare at

https://secure.entrust.com/trustedcare/.

(21)

21 Preparing for installation Report any errors or omissions

What you should have from Entrust for the pre-installation

Ensure you have all the items listed in the table below. If you do not, contact Entrust Managed Services PKI.

Pre-installation tasks

You must complete the following tasks, in order, prior to installing Auto-enrollment Server.

Note: This guide assumes you have already obtained an administrator certificate. If you are an Entrust Managed Services PKI customer, but have not yet created an administrator certificate, see the Administrator Guide under the Resources tab of www.entrust.com/managed_services.

• “Step 1: Installing the Web Server” on page 22

• “Step 2: Obtaining a Web server certificate” on page 24

• “Step 3: Assigning the certificate to your Web server” on page 42

• “Step 4: Enabling SSL on your Web server” on page 51

• “Step 5: Configuring integrated Windows authentication” on page 56

• “Step 6: Testing the SSL-enabled Web server” on page 60

• “Step 7: Obtaining a certificate for Auto-enrollment Server” on page 61 Table 1: Pre-install check list

Item Have it?

Your organization’s URL to Administration Services, a Web-based application that allows you to create and manage certificates and accounts.

Credentials to access Entrust TrustedCare

(https://secure.entrust.com/trustedcare/), which allows you to download purchased software and related documentation

Entrust Managed Services PKI Welcome letter. Specifically the name of the Certificate type to select when creating the Web Server certificate account.

(22)

Step 1: Installing the Web Server

If you have not done so already, install the Microsoft IIS Web Server.

Note: Ensure you understand all specific security requirements for your product.

The following procedure describes the Microsoft IIS Web Server installation on a Windows 2003 server.

To install Microsoft IIS Web Server (Windows 2003 Server) 1 Click Start > Control Panel > Add or Remove Programs.

The Add or Remove Programs dialog box appears.

2 From the left menu pane, select Add/Remove Windows Components.

After a few moments, the Windows Components Wizard dialog box appears.

(23)

3 Select Application Server and click Next.

Note: This preforms a default installation. For production purposes, you should consult your organization’s security policy to determine which components to install.

4 Once complete, click Finish.

(24)

Step 2: Obtaining a Web server certificate

To enable SSL between the Security Provider for Windows client and the Microsoft IIS Web server, a certificate for the Web server is required.

If you are deploying Auto-enrollment Server in a multi-domain environment, ensure that each Microsoft IIS Web server is issued a certificate.

Complete the following procedures, in order:

• “To log in to Administration Services” on page 24

• “To create a Web server certificate account” on page 26

• “To enroll for the Web server certificate using Security Provider” on page 33 To log in to Administration Services

1 Enter the Administration Services URL provided by Entrust Managed Services PKI into a browser.

The following page appears.

2 Depending on where you stored your administrator certificate, do one of the following:

(25)

if you stored your certificate... Do this

in the Entrust desktop security store on your computer

1 Click Browse to navigate to the location where you stored your administrator digital ID (.epf file) and click Open.

The file name and path appear in the Entrust Desktop Security Store File Name field. Select Remember Entrust Desktop Security Store File Name to retain the path.

2 Enter the password you created for your certificate and click Log in.

within the Windows framework or on a smart card or token.

1 Click the Log in with my Third-Party Security Store link.

The Administrator Login - Third-Party Security Store page appears.

Note: If logging in with a smart card or token, ensure it is connected to your computer.

2 Click Display certificate list.

The Select Certificate dialog box appears listing one or more digital certificates.

3 Select your certificate from the list and click OK.

(26)

Upon successful login, the following page appears.

You successfully logged in to Administration Services.

To create a Web server certificate account

1 If you are not already logged in to Administration Services, do so now. See “To log in to Administration Services” on page 24 for more information.

(27)

The main page appears.

2 Click Create Account under Account Tasks in the main pane or under Tasks in the left-hand menu.

The initial Create Account page appears.

(28)

3 From the User Type drop-down list, select Web server.

4 From the Certificate Type drop-down list, select your company’s specific certificate type. Consult your Entrust Managed Services PKI Welcome letter for more information.

5 Click Submit.

A second Create Account page appears where you provide the Web server name and other information.

(29)

6 From the User Information section:

a In the Name field, enter the fully qualified domain name (FQDN) of the server (for example, test.dev.ad.entrust.com).

b Optionally, enter a description of the Web server certificate account in the Description field.

7 Leave the Notification Email field empty.

8 From the Group Membership section, select the member option. If no groups are configured, only the default group appears.

9 From the Role section, select End User from the drop-down list.

10 From the Location section, click Select the searchbase and select your company name from the drop-down list (an entry for your organization was created in the directory when you signed up for Entrust Managed Services PKI). This specifies where to add the Web server account in the Administration Services LDAP directory.

11 Click Submit.

The Create Account - Complete page appears.

(30)

12 Securely record the reference number and authorization code. You need these activation codes later during enrollment.

13 Click the name of your Web server certificate in the Name column on the Create Account - Complete page.

The Account Details - <Web server name> page appears, where <Web server name> is the FQDN of your Web server.

(31)

14 Scroll down and click Edit Account.

15 On the Edit Account - Basic Information page, scroll down to the bottom of the page and click the Edit Advanced Information link.

The Edit Account - Advanced Information page appears.

(32)

16 In the Subject Alternative Naming Information section, enter the following in the DNS field (including the quotation marks):

“dnsName=<FQDN>”

where

<FQDN> is the fully qualified domain name of your Web server.

Note: If your machine is known by multiple names on the network, you can put multiple dnsName entries into the certificate, separated by a space. This allows a single certificate to be used for all instances.

(33)

To enroll for the Web server certificate using Security Provider 1 Open the Microsoft Management Console:

a Click Start > Run.

b Enter mmc and click OK.

The console appears.

2 From the console, click File > Add/Remove Snap-in.

The Add/Remove Snap-in dialog box appears.

(34)

3 From the Standalone tab, click Add.

The Add Standalone Snap-in dialog box appears.

(35)

4 Select Entrust Computer Digital ID from the snap-in list, and click Add.

The Select Computer dialog box appears.

(36)

5 Select Local computer and click Finish.

6 Click Close to close the Add Standalone Snap-in dialog box.

7 Click OK on the Add/Remove Snap-in dialog box.

The console reappears with the Entrust Computer Digital ID snap-in listed.

(37)

8 From the left pane of the console, right-click Entrust Computer Digital ID and select Enroll Computer for Entrust Digital ID.

The Welcome to the Enroll Computer for Entrust Digital ID Wizard appears.

9 Click Next.

The Specify the activation codes screen appears.

(38)

10 Enter the reference number and authorization code you obtained in Step 12 on page 30 into the respective fields and click Next.

Security Provider contacts the Entrust Managed Services PKI Certification Authority (CA) and, when successful, displays the Confirm Entrust Digital ID Enrollment screen.

(39)

11 Click Next.

A security warning may appear advising you that you are about to install a certificate issued from the Entrust Managed Services PKI Certification Authority (CA).

(40)

12 Click Yes to install the certificate.

The Completing the Enroll Computer for Entrust Digital ID Wizard screen appears.

(41)

13 Click Finish.

You successfully enrolled your Web server certificate.

(42)

Step 3: Assigning the certificate to your Web

server

Complete the following procedure to assign the SSL certificate to your Web server.

To assign the certificate to your Web server

1 Click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager.

The Internet Information Services (IIS) Manager appears.

2 In the left pane, expand <x> (local computer) and then expand the Web Sites folder, where <x> is the name of your computer. (In the screenshot above, the computer is named TEST.)

3 Right-click the Web site your want to configure for SSL (for example, Default Web Site) and select Properties.

The <x> Properties dialog box appears, where <x> is the name of the Web site you selected to configure.

(43)

4 Click the Directory Security tab.

The Directory Security tab appears.

(44)

5 In the Secure communications section, click Server Certificate.

The Welcome to the Web Server Certificate Wizard wizard appears.

(45)

6 Click Next.

The Server Certificate screen appears.

(46)

7 Select Assign an existing certificate and click Next.

The Available Certificates screen appears.

(47)

8 Select the certificate you created for your Web server and click Next.

The SSL Port screen appears.

(48)

9 Accept the default SSL port 443 and click Next.

The Certificate Summary screen appears.

(49)

10 Verify everything is correct and click Next.

The Completing the Web Server Certificate Wizard screen appears.

(50)

11 Click Finish.

You successfully assigned your SSL Web server certificate in Microsoft IIS.

(51)

Step 4: Enabling SSL on your Web server

You must enable SSL encryption on your Microsoft IIS Web server to secure the connection between the browser on the machine Security Provider is installed and Auto-enrollment Server. When configuring your Web server, it is advised that you do the following:

• Enforce 128-bit encryption for browsers accessing your Microsoft IIS Web Server.

• Enable server SSL authentication so that only the client checks the server’s Web certificate but there is no mutual authentication

The following procedure describes how to enable SSL on Microsoft IIS Web server 6.0. For all other versions, follow the instructions provided in your Microsoft IIS Web server documentation.

Note: Restart your Microsoft IIS Web server after enabling it for SSL.

To enable SSL on Microsoft IIS Web Server 6.0

(52)

3 Right-click the Web site your want to configure for SSL (for example, Default Web Site) and select Properties.

The <x> Properties dialog box appears, where <x> is the name of the Web site you selected to configure.

(53)

5 In the Secure communications section, click Edit.

The Secure Communication dialog box appears.

(54)

6 Select the following:

• Require secure channel (SSL)

• Require 128-bit encryption

Note: Ensure Ignore client certificates is selected.

7 Click OK.

The Directory Security tab reappears.

8 Click OK.

The Inheritance Overrides dialog box appears.

(55)

9 Click OK.

You successfully enabled SSL on your Web server.

10 Restart your Web server:

a Click Start > All Programs > Administrative Tools > Services.

b From the main pane, select IIS Admin Service.

c Click the Restart the service link.

(56)

Step 5: Configuring integrated Windows

authentication

After configuring SSL on your Web Server, you must configure integrated Windows authentication. If you do not configure integrated Windows authentication, an Entrust Entelligence Security Provider for Windows user cannot enroll for a certificate.

To configure integrated Windows authentication

3 Right-click the Web site you configured for SSL (for example, Default Web Site) and select Properties.

(57)

4 Click the Directory Security tab.

The Directory Security tab appears.

(58)

5 In the Authentication and access control section, click Edit.

The Authentication Methods dialog box appears.

(59)

6 In the Authenticated Access section, select Integrated Windows authentication.

7 Click OK to close the Authentication Methods dialog box.

8 Click OK to close the Internet Information Services (IIS) Manager dialog box.

You successfully configured integrated Windows authentication.

(60)

Step 6: Testing the SSL-enabled Web server

To ensure that your Web server has been installed and configured properly, test the SSL connection between the Microsoft IIS Web server and a Security Provider for Windows client browser.

To test the Web Server

From your Security Provider for Windows client, visit your sample Web site using https in the URL instead of http. If your sample Web site appears, your Web server and SSL are running properly. Your Web browser should indicate a secure connection by displaying a solid key or lock icon.

Figure 3: SSL lock icon in Internet Explorer 8.0

(61)

Step 7: Obtaining a certificate for

Auto-enrollment Server

Before starting the Auto-enrollment Server installation process, you must obtain a certificate for Auto-enrollment Server. The certificate:

• verifies signatures

• establishes SSL connections

• signs XAP requests for the XAP Server

• signs files that are used by the User Registration Service (URS)

To obtain a certificate for Auto-enrollment server, you must first create an account for the certificate in Administration Services and then enroll for the certificate using Security Provider.

Complete the following procedures, in order:

• “To create an account for Auto-enrollment Server in Administration Services” on page 61

• “To enroll for the Auto-enrollment Server certificate” on page 65

Note: If you have more than one Auto-enrollment Server machine, it is recommended that you create a separate account for each server.

To create an account for Auto-enrollment Server in Administration Services 1 Log in to Administration Services. See “To log in to Administration Services” on

page 24 for more information.

(62)

The main page appears.

2 Click Create Account under Account Tasks in the main pane or under Tasks in the left-hand menu.

The initial Create Account page appears.

(63)

3 From the User Type drop-down list, select Person.

4 From the Certificate Type drop-down list, select Enterprise - Admin Services User Registration.

5 Click Submit.

A second Create Account page appears where you provide the account name and other information.

(64)

6 From the User Information section:

a In the First Name field, enter a first name for your Auto-enrollment Server account (for example, AES).

b In the Last Name field, enter any name (for example; User registration.

7 Leave the Email and Notification Email fields empty.

8 From the Group Membership section, select the member option. If no groups are configured, only the default group appears.

9 From the Role section, select the custom role Entrust created for you from the drop-down list (for example; <organization name> User Registration, where

<organization name> is the name of your company or organization.

10 From the Location section, click Select the searchbase and select your company name from the drop-down list (an entry for your organization was created in the

(65)

12 Securely record the reference number and authorization code. You need these activation codes later during enrollment.

13 Proceed to the below procedure: “To enroll for the Auto-enrollment Server certificate” on page 65.

To enroll for the Auto-enrollment Server certificate

1 Right-click the Security Provider icon ( ) from your task bar, and select Enroll for Entrust Digital ID.

The Enroll for Entrust Digital ID Wizard appears.

(66)

2 Click Next.

The Specify your activation codes screen appears.

(67)

3 Enter the reference number and authorization code you received in Step 12 on page 65 and click Next.

Security Provider attempts to contact the Entrust Managed Services PKI Certification Authority (CA) and, when successful, displays the Confirm Entrust Digital ID Enrollment screen.

(68)

4 Click Next.

The Entrust Security Store Location dialog box appears.

(69)

5 Select a location on your machine for the security store, which stores the certificate, and click Next. The default location is C:\Documents and Settings\Administrator\Application Data\Entrust Security Store.

Note: If the folder does not exist, a dialog box appears asking if you want to create the location. Select Yes or No.

The Entrust Security Store Name dialog box appears.

(70)

6 Enter a name for your certificate (.epf file) and click Next. (For example, AESUserReg).

The Entrust Security Store Password dialog box appears.

(71)

7 Enter a password for your certificate, following the rules listed. The red ‘x’ icons turn to green check marks as you satisfy the requirements.

(72)

8 Click Finish.

The Completing the Enroll for Entrust Digital ID Wizard appears.

9 Click Finish.

You successfully obtained a certificate for Auto-enrollment Server and completed all the pre-installation tasks.

(73)

73

3

Installing Auto-enrollment Server

This chapter describes the steps required to install and configure the Auto-enrollment Server installation.

This chapter includes:

• “Installing Auto-enrollment Server” on page 74

• “Checking the Auto-enrollment Server installation” on page 86

What you should have from Entrust for the installation of

Auto-enrollment Server

Ensure you have all the items listed in the table below. If you do not, contact Entrust Managed Services PKI.

Table 2: Install check list

Credentials to access Entrust TrustedCare

(https://secure.entrust.com/trustedcare/), which allows you to download purchased software and related documentation The entrust.ini file, which is needed for the installation of Auto-enrollment Server.

(74)

Installing Auto-enrollment Server

The InstallShield Auto-enrollment Services Wizard installs and configures all of the Auto-enrollment Server components. Once you have successfully run the wizard, there are no other mandatory configuration steps.

Complete the following procedures to download Auto-enrollment Service from Entrust TrustedCare and to install the product:

• “To download Auto-enrollment Server from Entrust TrustedCare” on page 74

• “To install Auto-enrollment Services” on page 74

To download Auto-enrollment Server from Entrust TrustedCare

1 Log in to Entrust TrustedCare at https://www.entrust.com/trustedcare with your credentials.

2 Locate the Entrust Authority Auto-enrollment Server product and select the latest release (for example, 7.0).

3 From the Entrust Entelligence Auto-enrollment Server <version> download page page, download the product zip under the Software heading.

Attention: Check to see if there are Service Packs and/or Patches first. If there are, download the latest pack or patch instead.

4 Extract the zip file.

You successfully downloaded Auto-enrollment Server from Entrust TrustedCare.

To install Auto-enrollment Services

1 Open the Auto-enrollment folder you extracted in Step 4 on page 74, and double-click the AES_<version>_win.exe file, where <version> is the most recent version of Auto-enrollment Server (for example, 7.0).

The install wizard appears.

(75)

75 Installing Auto-enrollment Server

2 Click Next.

The license agreement screen appears.

(76)

3 Select I accept the terms of the license agreement and click Next.

Note: If you do not accept the terms, you cannot proceed with the installation.

The install location screen appears.

(77)

4 Browse for a location to install Auto-enrollment Server and click Next. The default location is C:\Program Files\Entrust\AutoEnrollmentServices.

The entrust.ini location screen appears.

(78)

.

5 Specify the name and path to the entrust.ini file, which was provided to you by Entrust representative, and click Next.

The Auto-enrollment Server certificate (.epf) location screen appears.

(79)

6 Specify the name and path to the Auto-enrollment certificate you created in “To enroll for the Auto-enrollment Server certificate” on page 65 and click Next. You selected the path in Step 5 on page 69 and the name of the .epf file in the following step (for example: C:\Documents and

Settings\Administrator\Application Data\Entrust Security Store\AESUserReg.epf.)

The Auto-enrollment Server certificate (.epf) password screen appears.

(80)

7 Enter the password for the Auto-enrollment Server certificate (.epf) you created in “To enroll for the Auto-enrollment Server certificate” on page 65 and click Next. You selected this password in Step 7 on page 71.

The Web server instance screen appears.

(81)

8 Select your Web site from the available list to host your Auto-enrollment Server application, and click Next.

The Active Directory for credential storage screen appears.

(82)

9 Select No and click Next.

The Active Directory as certificate repository screen appears.

(83)

10 Select No and click Next.

The summary screen appears.

(84)

11 Read the information provided in the summary information page and click Next.

After a few moments, the wizard completes the install of Auto-enrollment Server.

(85)

12 Click Finish to exit the wizard.

You successfully installed Auto-enrollment Server.

(86)

Checking the Auto-enrollment Server

installation

After you have completed the Auto-enrollment Server installation, you may want to verify the following:

• “Verify adminservice.log file” on page 86

• “Verify the Web server is passing requests to Auto-enrollment Server” on page 86

• “Verify installation log file” on page 87

• “Verify configuration log file” on page 87

Verify adminservice.log file

The adminservice.log is the administration log file and displays Auto-enrollment Server information and errors.

After installing Auto-enrollment Server, manually restart Auto-enrollment Server in Windows Services. The following event appears in the adminservices.log when services start successfully, without any errors:

[2009-07-09 10:24:25-0400][DEBUG]UserRegistrationService][URSExtension.ini][][]

Completed URS init

To verify the adminservice.log file

1 Click Start > All Programs > Administrative Tools > Services.

2 Select Entrust Authority (TM) Auto-enrollment Server from the list of services and click Restart the service.

3 Once restarted, wait a few moments and open the adminservice.log file in a text editor, such as Notepad. The log is located in the following directory

<install_directory>\AutoEnrollmentServices\logs\

where <install_directory> is the location of your Auto-enrollment Server install. By default, the install location is: C:\Program Files\Entrust\.

Refer to the section “Logging configuration” on page 110 for detailed information on the administration log file.

(87)

To verify the Microsoft IIS Web Server is passing requests to Auto-enrollment Server

1 Open a browser on the machine with your Web server installed and enter the following URL:

https://<FQDN>/AdminServicesApp/AutoEnroll

where <FQDN> is the fully qualified domain domain of the server (for example, test.dev.ad.entrust.com).

The following information should appear:

• SSL should be enabled

• an error specifying that a GET request was sent to Auto-enrollment Server

Verify installation log file

The installation log file can be used for information purposes or to diagnose installation related problems. The installer logs the following information:

• detects environment information (for example, free space in temp directory)

• any warnings that were issued and bypassed by the person installing the software

• actions performed (for example, files copied, .jar files created, and so on)

• error information

• InstallShield standard logging information (for example, extracting the JVM, evaluating conditions on whether or not to run an action)

Once the installation completes, the installation log file appears in the following location:

<install_directory>\AutoEnrollmentServices\logs\autoenrollments ervices_installer.log

Verify configuration log file

The configuration log file can be used for information purposes or to diagnose configuration related problems. The configuration logs the following information:

• auto-detected environment information

• answers to questions that the person installing the software provided

• actions performed (for example, files copied, configuration changed, and so on)

• detailed error information

• warnings

(88)

Once the installation completes, the configuration log file appears in the following location:

<install_directory>\AutoEnrollmentServices\logs\autoenrollments ervices_configuration.log

(89)

89

4

Customizing the Auto-enrollment

Server

You can configure the Auto-enrollment Server by modifying the ae-config.xml and ae-defaults.xml files.

Note: For any changes to take effect, you must restart the Entrust Authority Auto-enrollment Service in Windows Services.

This chapter describes how to customize Auto-enrollment Server:

• “Customizing the certificate type and user role” on page 91

• “Customizing certificate lifetimes” on page 96

• “Customizing a user’s Distinguished Name (DN)” on page 97

• “Customizing a search base for enrolling clients” on page 98

• “Configuring the DNS name” on page 99

(90)

What you should have from Entrust for Auto-enrollment Server

customizations

Ensure you have all the item listed in the table below. If you do not, contact Entrust Managed Services PKI.

Table 3: Auto-enrollment Server check list

Entrust Managed Services PKI Welcome letter. Specifically the names of your

• certificate type for users and computers

• roles for users and computers

• search base for enrolling clients

(91)

91 Customizing the Auto-enrollment Server

Customizing the certificate type and user role

Auto-enrollment Server settings can be used to choose a specific role and certificate type for users or computers. You can choose to keep the defaults or configure new defaults for your users and computers that are auto-enrolling.

Note: If you need to change a user or computer’s certificate type or role after they auto-enrolled and are in the added state in Administration Services, you must manually configure a new certificate type and role.

Configuring a default certificate type

Auto-enrollment Server uses a default certificate type for users and computers.

• <User>ent_default</User>

The default certificate type for users.

• <Machine>ent_default</Machine>

The default certificate type for computers.

To configure a new default certificate type, complete the following procedure.

To configure a new default certificate type

1 Open the ae-defaults.xml file in a text editor, such as Notepad:

<install_location>\AutoEnrollmentServices\config

<install_location> is the location of the Auto-enrollment Server install. By default, the install location is C:\Program Files\Entrust.

2 Locate the following section of code:

<User>ent_default</User>

<Machine>ent_default</Machine>

</DefaultCertType>

3 Replace one or both of the default certificate type settings with the certificate types listed in your Entrust Managed Services PKI Welcome letter:

<User>ent_default</User>

<Machine>ent_default</Machine>

Some examples of valid certificate types are:

(92)

• ent_twokeypair — two key pair user (encryption and verification)

• ent_nonrepud — three key pair user with non-repudiation key pair (encryption, verification, and non-repudiation)

• ent_efs — three key pair user with EFS key pair (encryption, verification, and encryption file system (EFS))

• ent_nonrepud_and_efs — four key pair user with Nonrepudiation and EFS Key Pairs (encryption, verification, nonrepudiation, and EFS)

• ent_skp_dualusage — one dual usage key pair (dual usage) 4 Save the file.

5 Restart Auto-enrollment Server services in Windows Services.

Configuring a default User Role

The Auto-enrollment Server has a default role for your users and computers.

• <User>End User</User>

The default user role.

• <Machine>End User</Machine>

The default computer role.

To configure a new default role, complete the following procedure.

Note: The administrator must have permission to administer the roles that you configure.

To configure a new default role

<!-- Default roles for user or computer auto-enrollments, for clients that send no <CertTypeInfo> in their auto-enrollment

(93)

3 Replace the default role settings with the roles listed in your Entrust Managed Services PKI Welcome letter:

<User>End User</User> and/or

Some examples of valid roles are:

• Security Officer

• Administrator

• Directory Administrator

• Auditor

• Self-Administration Server

• Administrator

• End User

Note: Entrust may have created some custom roles for you. If you are unaware of the custom roles assigned, contact your Entrust representative.

4 Save the file.

Configuring the client information setting

Auto-enrollment Server has a client information setting that controls the assignment of the certificate type and user role when Security Provider auto-enrolls/recovers. The client information setting is an arbitrary string that must match the string that is sent by Security Provider. The arbitrary string is configured in the Windows Registry on the machine that has Security Provider installed:

• AutoEnrollUserDigitalIDType — arbitrary string used for user auto-enrollment/recovery

• AutoEnrollMachineDigitalIDType — arbitrary string used for computer auto-enrollment/recovery

Auto-enrollment Server takes this string and assigns a certificate type and role to Security Provider.

The Auto-enrollment Server administrator must be allowed to administer users that have these roles, otherwise the enrollment will fail. For example, if the user is assigned the Security Officer role and the Auto-enrollment administrator cannot administer users with the Security Officer role, the enrollment will fail.

Auto-enrollment Server has a client information string that you can configure for users and computers.

To configure a new client string, complete the following procedure.

(94)

To configure a new client string

<!-- CertTypeInfo controls the assignment of certificate type and user role when a client enrolls. Edit as required. ClientInfo strings are arbitrary but must match the string that the client sends. If a ClientInfo string is repeated, AE uses the first encountered.

AE server assigns a <CertType> and <Role> to a client that sends a particular <ClientInfo> string. The AE Server admin must be

allowed to administer users that have these roles; otherwise enrollment will fail. -->

<ClientInfo>some_clients_send_this_string</ClientInfo>

<CertType>ent_default</CertType>

</ClientRequest>

<ClientInfo>other_clients_send_this_different_string</ClientInfo>

<CertType>ent_skp_dualusage</CertType>

<Role>Server Login</Role>

</ClientRequest>

</CertTypeInfo>

Security Provider sends a client request to Auto-enrollment Server. The request contains an arbitrary string that was configured in the

AutoEnrollUserDigitalIDType Windows registry on the machine that has Security Provider installed. In this case, the Security Provider registry setting is AutoEnrollUserDigitalIDType=some_clients_send_this_string

(95)

Auto-enrollment Server reads the <CertType> and <Role> tags to determine which certificate type and role to use for the auto-enrollment. In this code example, the <CertType> is ent-default and the <Role> is End User.

Note: If the string sent in the Security Provider request does not match a string in any of the <ClientInfo> tags, an error is logged and returned to the client.

The default certificate type and role are used when the client does not send any

<ClientInfo> string at all, or no <ClientTypeInfo> is configured at the server.

4 Save the file.

Installation and Configuration Guide

Entrust Managed Services PKI™

Auto-enrollment Server 7.0