How to do automatic vetting of certificate requests for Sentry RA
Originally Published: 2001-07-24
Article Number
Applies To
TechNote 0223
Issue
Resolution
The automatic vetting of certificate request refers to the signing of certificates without administrator intervention, and the subsequent automatic download of certificates into client browsers.
You must change both CA and RA's LDAP ACL rules that determine the access to the "request queue" by the RA enrollment client using the "Modify LDAP ACL Rules" function. You must also use the automatic vetting templates provided.
Remember, when setting LDAP ACL rules the order of the rules is critical.
Solution:
1. Modify the RA's LDAP ACL Rules
a. Determine the md5 of RA admin and enrollment client.
This can be found at the end of the LDAP ACL rules in the rule that allows writing to the request queue:
access to dn="dn=request_queue"
by dn="md5=<ra-admin-client-md5>" write
by dn="md5=<ra-enrollment-client-md5>" write
(after installation, the first one is always the admin client, the second one is always the enrollment client).
b. The RA enrollment client needs access to xuda_certificate objectclass for automatic vetting to work.
Find the section which controls access to xuda_certificate objectclass. It looks like this:
access to filter="objectclass=xuda_certificate"
by dn="md5=<ra-admin-client-md5>" write
by dn=".*" read
Modify the above ACL into:
access to filter="objectclass=xuda_certificate"
by dn="md5=<ra-admin-client-md5>" write
by dn="md5=<ra-enrollment-client-md5>" write
by dn=".*" read
c. Save this modification to ACL database.
2. Modify the Target CA's LDAP ACL Rules
a. The RA enrollment client needs access to the target CA's request_queue.
Find the section which controls access to the target CA's request_queue objectclass. It looks like:
access to dn="dn=request_queue"
by dn="md5=<ca-admin-server-md5>" write
by dn="md5=<ca-enrollment-server-md5>" write
by dn="md5=<dss-enrollment-server-md5>" write
by dn="md5=<ra-admin-client-md5>"write
by dn="xcert_products" write
by dn=".*" none
Modify the above ACL into:
access to dn="dn=request_queue"
by dn="md5=<ca-admin-server-md5>" write
by dn="md5=<ca-enrollment-server-md5>" write
by dn="md5=<ca-dss-enrollment-server-md5>" write
by dn="md5=<ra-admin-client-md5>"write
by dn="md5=<ra-enrollment-client-md5>" write
by dn="xcert_products" write
by dn=".*" none
b. The RA enrollment client also needs access to the target CA's signing backend.
Find the related section which looks like:
access to dn="md5=<target-CA-md5>,o=ca,o=services"
by dn="md5=<ca-admin-server-md5>" write
by dn="md5=<ra-admin-client-md5>" write
by dn="xcert_products" write
by dn=".*" none
Modify it into:
access to dn="md5=<target-CA-md5>,o=ca,o=services"
by dn="md5=<ca-admin-server-md5>" write
by dn="md5=<ra-admin-client-md5>" write
by dn="md5=<ra-enrollment-client-md5>" write
by dn="xcert_products" write
by dn=".*" none
c. Save above modifications to CA's ACL database.
3. Set up the automatic vetting templates
Obtain the autovetting templates for the RA from the URL: https://knowledge.rsasecurity.com/docs/utilities/ra_autovet40.zip
a. Unzip the zip file and you will get the following four xuda files:
ra-request-spk.xuda ra-add-spk-request.xuda
ra-request-msie.xuda ra-add-msie-request.xuda
b. Copy these files under <installed-RA-dir>\webServer\enroll-server
c. If you want RA to vet certificate requests both manually and automatically, you can follow the following procedure:
i. Open the file index.xuda in the enrollment server sub-directory.
ii. Find the two lines which looks like:
and
iii. Modify them into:
and
iv. Save the file as another name which you prefer. (e.g. ra-autovet-index.xuda)
v. Tell your users who need their certificate requests vetted automatically to browse the RA enrollment server by using:
https://<ra_hostname>:<ra_enroll_port>/ra-autovet-index.xuda
d. If you want to make your RA vet ALL certificate requests automatically, you can just follow the above step i, ii and iii, then save and replace the file, which will direct the users into the auto-vetting templates.
Note: You may need to change the file permission to achieve this step. Make sure change its file permission back to "Read-only" after finishing the modification.
Additional Notes:
- TTL (time to live) should be set to the number of days that you want the certificates to be valid for. You can modify the value for TTL in ra-add-msie-request.xuda or ra-add-spk-request.xuda.
- To allow auto-vetting of a LUNA based CA or any CA for which a passphrase is used, you must ensure that either:
a.) The PIN is automatically provided at startup using the "setpin" directive.
or
b.) The correct PIN is entered at startup time.
- If you are using Netscape Navigator as the client browser, after clicking the "Submit" button, once the process is done, the certificate is downloaded into your browser directly. You can check it by going to Security --> Certificate --> Your.
If you are using MSIE as the client browser, after clicking the "Submit" button, once the process is done, you will have to click the "Install" button to install the certificate into your browser.
Related Articles
How to uninstall Sentry CA/RA Number of Views How to update target CA's policy on Sentry RA Number of Views Error: 'Forbidden - you don't have permission to access / on this server' when accessing RSA Registration Manager administ… Number of Views A number of the vettor certificates for the RA seem to have disappeared since upgraded the CA. Number of Views RSA Authentication Manager 8.2 SP1 upgrade fails with the error: "Configuration step RadiusOCConfig.configureActualRADIUSS… Number of Views
Trending Articles
How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor… RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Downloading RSA Authentication Manager license files or RSA Software token seed records RSA Release Notes for RSA Authentication Manager 8.8
Don't see what you're looking for?
