Auto Enrollment

This section takes you through the process of automatically enrolling an end-entity to obtain a certificate. To complete this section you must have successfully completed the Installation module and have a CMS subsystem running on your target machine.

Install the authentication manager plugin in Netscape console.

CMS4 Help on User Enrollment

Prerequisites

To be successful in this exercise you must have completed the following activities or have the following information at hand:
  • You must have imported the agent's certificate into the system you are using.
  • You must use the SSL End-Entity port (in the installation module we recommended that you use 17005).

Procedure

In this exercise you will play two key roles: first you will act as an administrator and set up the authentication manager plugin in Netscape console. This plugin must be in place and configured to handle automatic access to the LDAP database. You will also use Netscape Console to establish a user for whom a certificate will be issued. In your second role, you will act as an end-entity requesting a certificate using the automatic user enrollment form.

To accomplish this you will use Netscape console on your system and one browser window to get the certificate.

Read the following steps.  You can view each step then perform the operation on your system, or read all the steps first then perform the operation.

Step 1

Use Netscape Console to establish and configure the authentication manager plugin as demonstrated below.


Figure 6.9

Configuration Values For Authentication Instance Editor

Config Parameter
Value
dnpattern E=$attr.mail, CN=$attr.cn, O=$dn.c
ldapStringAttributes mail, mailalternateaddress
ldapByteAttributes <leave blank>
ldap.ldapconn.host smith.mcom.com <machineName.your_domain.domain
ldap.ldapconn.port 389 <If you installed your Directory Server with a different port, use that port number>
ldap.ldapconn.secureConn false <Specifies whether the port to the directory is HTTP (false) or HTTPS (true).>
ldap.ldapconn.version 3 <specifies the LDAP protocol version>
ldap.basedn o=mcom.com <During installation of the directory server, you specified a base dn.  Use that value.>
ldap.minConns 2
ldap.maxConns 10

These values should work for a typical installation.

Step 2

You must add a user for whom a certificate will be automatically issued. There are a variety of ways to do this, but for this exercise you will use Netscape Console as shown below.


Figure 6.10

Step 3

Start a Navigator window and connect to the end-entity port as described in the Manual Enrollment section. Once you are connected, request a certificate through the Directory-based enrollment process as demonstrated below. Note that you may have to go through the process of accepting the CMS4 server's certificate in order to get to the enrollment form.


Figure 6.11

This concludes this exercise.


Top of Page
Copyright © 1999 Sun-Netscape Alliance.
All Rights Reserved.