Installation and Configuration Guide

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Installation and Configuration Guide"

Transcription

1 Entrust Managed Services PKI Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0 Date of Issue: July 2009

2 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or a registered trademark of Entrust, Inc. in certain countries. All Entrust product names and logos are trademarks or registered trademarks of Entrust, Inc. in certain countries. All other company and product names and logos are trademarks or registered trademarks of their respective owners in certain countries. This information is subject to change as Entrust reserves the right to, without notice, make changes to its products as progress in engineering or manufacturing methods or circumstances may warrant. Obtaining technical support For support assistance by telephone call one of the numbers below: in North America outside North America You can also Customer Support at: Export and/or import of cryptographic products may be restricted by various regulations in various countries. Export and/or import permits may be required. 2 Auto-enrollment Server 7.0 Installation and Configuration Guide

3 TOC About Auto-enrollment Server Overview Auto-enrollment Server system components Tier Tier Tier How the auto-enrollment process works Auto-enrollment request Choice of certificate type and role Auto-enrollment decision procedure Enrollment and recovery queues for administrator approval How the distinguished name (DN) is created How the subjectaltname is created How the subjectaltname is created for domain controller certificates 17 Preparing for installation Planning your installation What you should have from Entrust for the pre-installation Pre-installation tasks Step 1: Installing the Web Server Step 2: Obtaining a Web server certificate Step 3: Assigning the certificate to your Web server Step 4: Enabling SSL on your Web server Step 5: Configuring integrated Windows authentication Step 6: Testing the SSL-enabled Web server Step 7: Obtaining a certificate for Auto-enrollment Server

4 Installing Auto-enrollment Server What you should have from Entrust for the installation of Auto-enrollment Server Installing Auto-enrollment Server Checking the Auto-enrollment Server installation Verify adminservice.log file Verify the Web server is passing requests to Auto-enrollment Server 86 Verify installation log file Verify configuration log file Customizing the Auto-enrollment Server What you should have from Entrust for Auto-enrollment Server customizations Customizing the certificate type and user role Configuring a default certificate type Configuring a default User Role Configuring the client information setting Customizing certificate lifetimes Customizing a user s Distinguished Name (DN) Customizing a search base for enrolling clients Configuring the DNS name Configuring queuing Enabling queuing in Auto-enrollment Server Configuring the ae-defaults.xml file to queue requests Configuring the queuing monitor Approving or rejecting requests in Administration Services Troubleshooting Logging configuration Setting the log level Setting the log file location Setting the maximum log file size Setting the number of backup log files allowed Setting the maximum message length Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

5 Time synchronization Error messages Glossary of terms Writing your own DN Builder implementation code DN Builder examples Customizing the DN builder code DistinguishedNameBuilderDefaultImp Customizing the default DN Builder implementation Constructor Summary Method Summary Constructor Detail Method Detail ActiveDirectoryUserInfo Method Summary Method Detail Index

6 6 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

7 1 About Auto-enrollment Server The Entrust Authority Auto-enrollment Server creates certificates and sends these transparently to an Entrust Entelligence Security Provider for Windows client. The following topics provide an introduction to Auto-enrollment Server: Overview on page 8 Auto-enrollment Server system components on page 9 How the auto-enrollment process works on page 13 7

8 Overview The Auto-enrollment Server simplifies certificate deployment by providing automatic enrollment of keys and certificates to users and computers. Enrollment is also transparent to the administrator (the level of transparency to the end-user depends on the user key store selected for key protection). The Auto-enrollment Server communicates with the Security Provider for Windows client to automatically deliver a certificate to Windows-based users or computers. Auto-enrollment Server can provide a certificate to the following Windows-based machines: Laptops and desktops Microsoft Windows IIS Web browsers and servers Domain Controllers Authentication clients and servers (RRAS, IAS, VPN, Radius Servers) Note: The Security Provider for Windows client must be online at the time of the initial auto-enrollment request, in order for the request to be processed by Auto-enrollment Server. When the enrollment request is sent from the Security Provider for Windows client to Auto-enrollment Server, the enrollment may be processed automatically or the enrollment may be queued. Queuing is an optional feature, which takes an enrollment request and leaves it at the Auto-enrollment Server for approval by an administrator. In the case of an automatically processed request, Auto-enrollment Server contacts the Certification Authority (CA) for approval. Once the auto-enrollment request has been automatically approved or approved by the administrator in the case of queuing, the authorization code and reference number are passed to the Security Provider for Windows client. The Security Provider for Windows client uses the authorization code and reference number to complete the enrollment process. 8 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

9 Auto-enrollment Server system components The following figure provides an illustration of the Auto-enrollment Server system components in a Three-Tier client/server environment: Figure 1: Auto-enrollment Server system components About Auto-enrollment Server 9

10 Tier 1 Entrust Entelligence Security Provider for Windows (Security Provider) is known as the tier 1 client component in this three-tier client/server environment. Note: You host the Security Provider client. Entrust Entelligence Security Provider for Windows Entrust Entelligence Security Provider for Windows (Security Provider) is the client that transparently communicates with Auto-enrollment Server to enroll certificates. Auto-enrollment Server transparently issues certificates to a user or computer through Security Provider. Auto-enrollment is enabled per-ca by configuring the following registry values: AutoEnrollUserURL AutoEnrollMachineURL You can configure the registry values in the Windows registry of the machine in which Security Provider is installed or through Security Provider s Custom Installation wizard (Specify Entrust PKI Information page). For more information on adding these values, see the Entrust Entelligence Security Provider for Windows Administration Guide. A CA can have user auto-enrollment and machine auto-enrollment enabled for it. If the AutoEnrollUserURL value is present, user auto-enrollment is enabled for that CA. If the AutoEnrollMachineURL value is present, machine auto-enrollment is enabled for that CA. Both values support a list of Auto-enrollment Server URLs in case connections to multiple Auto-enrollment Servers should be attempted. If a connection to the first Auto-enrollment Server does not work, the second server URL is tried, and so on. Once a connection is established with one Auto-enrollment Server, connections to other servers are not attempted. Tier 2 The Microsoft Internet Information Services (IIS) Web Server and Tomcat Application Server are known as tier 2 in the three-tier client/server environment. The Web Server and Application Server provide the middle-tier processing between Security Provider and the CA. Note: You host the IIS Web Server and the Tomcat Application Server. 10 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

11 Microsoft Internet Information Services (IIS) Web Server Security Provider for Windows communicates with the Microsoft IIS Web Server through a firewall. SSL encryption must be used on the Web Server to secure the connection between Security Provider and Auto-enrollment Server. Security Provider communicates directly with an SSL-enabled Microsoft IIS Web Server over HTTPS. The Microsoft IIS Web Server is configured to authenticate Security Provider through Windows Integrated Authentication using the NTLM or Kerberos authentication methods. Tomcat Application Server The Tomcat Application Server is connected directly to the Microsoft IIS Web Server. The Microsoft IIS Web Server communicates through a Tomcat isapi filter to a JK2 Connector in the Tomcat Application Server. The JK2 Connector passes information to the Auto-enrollment Server located in the Tomcat Application Server. Tier 3 Entrust Managed Services PKI certification authority (CA) is known as the tier 3 server component in a three-tier client/server environment. Note: Entrust Managed Services PKI hosts the CA. Entrust Managed Services PKI certificate authority Entrust Managed Services PKI runs the certification authority (CA) for the Auto-enrollment Server system. The main functions the CA is to: create certificates for all public keys create encryption key pairs provide a managed, secure database of information that allows the recovery of encryption key pairs enforce the security policies defined by your organization publish Certificate Revocation Lists (CRLs) publish Policy Certificates Auto-enrollment Server must be able to communicate with the XML Administration Protocol (XAP) Server running as part of the CA. Communication between these components is XAP over HTTPS. About Auto-enrollment Server 11

12 Directory The majority of information requests involve retrieving certificates. To make this information publicly available, the CA uses a public repository known as a directory. The directory is an LDAP (Lightweight Directory Access Protocol) compliant directory service. Information that is made public through the directory includes: user certificates lists of revoked certificates client policy information Public encryption certificates for each user, certificate revocation lists (CRLs), and other information are written from the CA to the directory. Auto-enrollment Server Servlets need access to the directory in order to log in to their profiles. Database The database is under the control of Entrust Managed Services PKI and acts as a secure storage area for all information related to the CA. The database stores: the CA signing key pair (this key pair may be created and stored on a separate hardware device rather than the database) user or computer status information the encryption key pair history (including all decryption private keys and encryption public key certificates) for each user and computer the verification public key history (including all verification public key certificates) for each user and computer the validity periods for signing key pairs, encryption key pairs, and system cross-certificates Security Officer and administrator information CA policy information revocation information Note: All information stored in the database is secured to protect against tampering. 12 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

13 How the auto-enrollment process works The following sections provide a high-level view of the auto-enrollment process: Auto-enrollment request on page 13 Choice of certificate type and role on page 13 Auto-enrollment decision procedure on page 14 Enrollment and recovery queues for administrator approval on page 14 Auto-enrollment request Security Provider sends an auto-enrollment request over SSL to the Microsoft IIS Web Server. Windows Authentication is performed, using the NTLM or Kerberos authentication protocol, and this determines the Windows domain and name of the remote client that sent the request. The Auto-enrollment Server builds a distinguished name (DN) from the Windows domain and user name found in the auto-enrollment request. There may be messages sent from the Auto-enrollment Server to the directory to determine the first and last names. An authentication servlet in the Tomcat Application Server receives the request through an ISAPI connector. The client is authenticated primarily through membership in a Windows domain name. The user s Windows domain and account name must be mapped by the server to an X.500 distinguished name (DN). The default mapping creates a common name from the user s Windows domain login name. This is received by the authentication component. The administrator can choose to customize the distinguished name (DN) builder implementation, instead of using the default. The DistinguishedNameBuilder interface can be used to define your own mapping procedure. Refer to the section Customizing a user s Distinguished Name (DN) on page 97. Choice of certificate type and role The choice of certificate type and user role is made by Auto-enrollment Server and is configurable in the ae-defaults.xml file. Refer to the section Customizing the certificate type and user role on page 91 for further information. When Auto-enrollment Server decides the Certificate Type and Role that will be used for the enrollment, it communicates this to the CA so the appropriate identity is created. About Auto-enrollment Server 13

14 Auto-enrollment decision procedure When the auto-enrollment/recovery request is sent from Security Provider to Auto-enrollment Server, Auto-enrollment Server sends one of the following three types of responses to Security Provider: Approval response A response that includes an authorization code and reference number Security Provider can use to communicate with the CA, and enroll/recover the user or computer. The response also indicates the validity period of these activation codes and whether an enrollment or recovery should be performed. Queued response A response which indicates that the request has been queued for administrative approval. Rejection response A response that includes an error code and reason indicating why the auto-enrollment/recovery cannot occur. Once Security Provider has the approval response, communication with Auto-enrollment Server is complete. The enrollment or recovery is then performed through direct communication with the CA. Enrollment and recovery queues for administrator approval When an auto-enrollment request is sent from Security Provider to Auto-enrollment Server, Auto-enrollment Server can be configured to automatically process the request immediately or queue the enrollment request. Queuing is an optional feature and occurs when an enrollment request waits at Auto-enrollment Server for approval by an administrator. Refer to the chapter Configuring queuing on page 101 for further information on configuring queuing. When an auto-recovery request is sent from Security Provider to Auto-enrollment Server, Auto-enrollment Server can be configured to automatically process the request immediately, queue the recovery request, or reject the request immediately. For further information on what triggers an auto-recovery request, refer to the Entrust Entelligence Security Provider for Windows Administration Guide. When queuing is available, all auto-recovery requests are placed in the queue and the administrator will decide if an auto-recovery should be granted or denied. When queuing is not available for an administrator, the following automatic auto-recoveries will be granted or denied: Granted when the signing certificate is expired when the user is in the Key Recovery state at the CA 14 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

15 Denied when the signing certificate is revoked when updates are not allowed at the CA for this user When an auto-recovery is denied, Auto-enrollment Server returns an error to Security Provider. When the error message displays to the end user, explaining that the auto-recovery attempt failed, the user must inform their administrator that a recovery is required. To enable key recovery for the user, the administrator has to set the user for Key Recovery at the CA. This switches the user from the Active state into the Key Recovery state at the CA, and an auto-recovery is automatically granted by Auto-enrollment Server. About Auto-enrollment Server 15

16 How the distinguished name (DN) is created Auto-enrollment Server may create a distinguished name (DN) for the user or computer if a DN does not already exist in the directory. The default behavior of the DN builder implementation in the Auto-enrollment Server is to take the user or computer name and the domain name to create a DN for this user or computer. If the DN already exists in the directory, most likely when Active Directory is used, it will not be created. If the DN does not already exist in the directory, the DN is added. When the DN is created for a user or computer, it is created differently based upon the directory and whether it is a DN for a user or computer. LDAP Directory The DN of the user or computer is created by using the user or computer name, from the Windows domain name and the DN of the CA. For example, assume the following: computer name is yottbsmith the Windows user is bsmith the domain name is SOMEDOMAIN the complete domain name is SOMEDOMAIN.abc.com the CA DN is ou=someunit, o=abc, c=ca The user being auto-enrolled will have the following default Subject name: cn=bsmith SOMEDOMAIN, ou=someunit, o=abc, c=ca The computer being auto-enrolled will have the following default Subject name: cn=bsmith$ SOMEDOMAIN, ou=someunit, o=abc, c=ca When your organization requires you to create DNs for your users or computers in a different manner than the above example, you may choose to customize the default DN builder implementation. Refer to the section Customizing a user s Distinguished Name (DN) on page 97 for further details. Active Directory The DN for the user or computer in Active Directory is used for the DN in Entrust Managed Services PKI. There are no exceptions and this cannot be customized. Note: This is advanced configuration. Contact your Entrust representative for more information. For example, assume the following: computer name is yottbsmith the Windows user is bsmith the domain name is SOMEDOMAIN 16 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

17 the complete domain name is SOMEDOMAIN.abc.com the machine with Active Directory running on it (the domain controller) has the machine name SOMESERVER the CA DN is cn=someserver, cn=aia, cn=public Key Services, cn=services, cn=configuration, dc=somedomain, dc=abc, dc=com The user being enrolled will have the following default Subject name: cn=bsmith, cn=users, dc=somedomain, dc=abc, dc=com The computer being auto-enrolled will have the following Subject name: cn=yottbsmith, cn=computers, dc=somedomain, dc=abc, dc=com How the subjectaltname is created Auto-enrollment Server may create a subjectaltname for the user or computer. The default behavior of the DN builder implementation in Auto-enrollment Server, is to add a subjectaltname for computers and not to add one for users. Auto-enrollment Server takes the computer name and domain and builds the dnsname, for example, dnsname=computer_name.complete_domain_name. This value is provided when the user or computer is being added to the CA. Entrust Managed Services PKI then adds the dnsname to the SubjectAltName extension of the certificate. For example, assume the following: computer name is yottbsmith the domain name is SOMEDOMAIN the complete domain name is SOMEDOMAIN.abc.com The dnsname of the above example is: dnsname=yottbsmith.somedomain.abc.com Auto-enrollment Server does a dnsname lookup to get the domain. If the dnsname lookup fails, as a backup you can customize the ae-defaults.xml file to build a dnsname. Refer to the section Configuring the DNS name on page 99 for further instructions. How the subjectaltname is created for domain controller certificates Certificates for domain controllers always have extra information added to the subjectaltname. This complies with the Requirements for Domain Controller Certificates from a Third-Party CA (article ID ) as documented by Microsoft. In addition to the dnsname, the directory must include the globally unique identifier (GUID) of the domain controller object. The directory stores the GUID in the About Auto-enrollment Server 17

18 subjectaltname as an Other Name, and it is DER encoded. An example of a subjectaltname with the globally unique identifier (GUID) of the domain controller object in the directory and the Domain Name System (dnsname) is: Other Name: = ac 4b aa d6 5d 4f a9 9c 4c bc b0 6a 65 d9 DNS Name=ComputerNameOfDomainController.SOMEDOMAIN.abc.com When Security Provider creates the auto-enrollment request message for Auto-enrollment Server, it checks if the computer is a domain controller. If yes, it queries the Active Directory and asks for the GUID of the domain controller. Security Provider for Windows will then include the following two pieces of information in the request message to the Auto-enrollment Server: confirmation that the computer is a domain controller the GUID Passing this information in the request message allows Auto-enrollment Server to set extra information in the subjectaltname when necessary. 18 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

19 2 Preparing for installation This chapter describes how to prepare for the Auto-enrollment Server installation. Read this chapter if you are the system administrator installing and configuring machines hosting the Auto-enrollment Server components. This chapter contains the following sections: Planning your installation on page 20 Step 1: Installing the Web Server on page 22 Step 2: Obtaining a Web server certificate on page 24 Step 3: Assigning the certificate to your Web server on page 42 Step 4: Enabling SSL on your Web server on page 51 Step 5: Configuring integrated Windows authentication on page 56 Step 6: Testing the SSL-enabled Web server on page 60 Step 7: Obtaining a certificate for Auto-enrollment Server on page 61 19

20 Planning your installation The following flowchart illustrates the pre-installation steps required for Entrust Managed Services PKI customers installing Auto-enrollment Server. Figure 2: Pre-installation flowchart Attention: Auto-enrollment Server is an add-on that works together with Entrust Entelligence Security Provider (Security Provider). As such, you must already have Security Provider installed at this time. Security Provider and related documentation is available for download from Entrust TrustedCare at 20 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

21 What you should have from Entrust for the pre-installation Ensure you have all the items listed in the table below. If you do not, contact Entrust Managed Services PKI. Table 1: Pre-install check list Item Have it? Your organization s URL to Administration Services, a Web-based application that allows you to create and manage certificates and accounts. Credentials to access Entrust TrustedCare ( which allows you to download purchased software and related documentation Entrust Managed Services PKI Welcome letter. Specifically the name of the Certificate type to select when creating the Web Server certificate account. Pre-installation tasks You must complete the following tasks, in order, prior to installing Auto-enrollment Server. Note: This guide assumes you have already obtained an administrator certificate. If you are an Entrust Managed Services PKI customer, but have not yet created an administrator certificate, see the Administrator Guide under the Resources tab of Step 1: Installing the Web Server on page 22 Step 2: Obtaining a Web server certificate on page 24 Step 3: Assigning the certificate to your Web server on page 42 Step 4: Enabling SSL on your Web server on page 51 Step 5: Configuring integrated Windows authentication on page 56 Step 6: Testing the SSL-enabled Web server on page 60 Step 7: Obtaining a certificate for Auto-enrollment Server on page 61 Preparing for installation 21

22 Step 1: Installing the Web Server If you have not done so already, install the Microsoft IIS Web Server. Note: Ensure you understand all specific security requirements for your product. The following procedure describes the Microsoft IIS Web Server installation on a Windows 2003 server. To install Microsoft IIS Web Server (Windows 2003 Server) 1 Click Start > Control Panel > Add or Remove Programs. The Add or Remove Programs dialog box appears. 2 From the left menu pane, select Add/Remove Windows Components. After a few moments, the Windows Components Wizard dialog box appears. 22 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

23 3 Select Application Server and click Next. Note: This preforms a default installation. For production purposes, you should consult your organization s security policy to determine which components to install. 4 Once complete, click Finish. Preparing for installation 23

24 Step 2: Obtaining a Web server certificate To enable SSL between the Security Provider for Windows client and the Microsoft IIS Web server, a certificate for the Web server is required. If you are deploying Auto-enrollment Server in a multi-domain environment, ensure that each Microsoft IIS Web server is issued a certificate. Complete the following procedures, in order: To log in to Administration Services on page 24 To create a Web server certificate account on page 26 To enroll for the Web server certificate using Security Provider on page 33 To log in to Administration Services 1 Enter the Administration Services URL provided by Entrust Managed Services PKI into a browser. The following page appears. 2 Depending on where you stored your administrator certificate, do one of the following: 24 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

25 if you stored your certificate... in the Entrust desktop security store on your computer within the Windows framework or on a smart card or token. Do this 1 Click Browse to navigate to the location where you stored your administrator digital ID (.epf file) and click Open. The file name and path appear in the Entrust Desktop Security Store File Name field. Select Remember Entrust Desktop Security Store File Name to retain the path. 2 Enter the password you created for your certificate and click Log in. 1 Click the Log in with my Third-Party Security Store link. The Administrator Login - Third-Party Security Store page appears. Note: If logging in with a smart card or token, ensure it is connected to your computer. 2 Click Display certificate list. The Select Certificate dialog box appears listing one or more digital certificates. 3 Select your certificate from the list and click OK. Preparing for installation 25

26 Upon successful login, the following page appears. You successfully logged in to Administration Services. To create a Web server certificate account 1 If you are not already logged in to Administration Services, do so now. See To log in to Administration Services on page 24 for more information. 26 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

27 The main page appears. 2 Click Create Account under Account Tasks in the main pane or under Tasks in the left-hand menu. The initial Create Account page appears. Preparing for installation 27

28 3 From the User Type drop-down list, select Web server. 4 From the Certificate Type drop-down list, select your company s specific certificate type. Consult your Entrust Managed Services PKI Welcome letter for more information. 5 Click Submit. A second Create Account page appears where you provide the Web server name and other information. 28 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

29 6 From the User Information section: a b In the Name field, enter the fully qualified domain name (FQDN) of the server (for example, test.dev.ad.entrust.com). Optionally, enter a description of the Web server certificate account in the Description field. 7 Leave the Notification field empty. 8 From the Group Membership section, select the member option. If no groups are configured, only the default group appears. 9 From the Role section, select End User from the drop-down list. 10 From the Location section, click Select the searchbase and select your company name from the drop-down list (an entry for your organization was created in the directory when you signed up for Entrust Managed Services PKI). This specifies where to add the Web server account in the Administration Services LDAP directory. 11 Click Submit. The Create Account - Complete page appears. Preparing for installation 29

30 12 Securely record the reference number and authorization code. You need these activation codes later during enrollment. 13 Click the name of your Web server certificate in the Name column on the Create Account - Complete page. The Account Details - <Web server name> page appears, where <Web server name> is the FQDN of your Web server. 30 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

31 14 Scroll down and click Edit Account. 15 On the Edit Account - Basic Information page, scroll down to the bottom of the page and click the Edit Advanced Information link. The Edit Account - Advanced Information page appears. Preparing for installation 31

32 16 In the Subject Alternative Naming Information section, enter the following in the DNS field (including the quotation marks): dnsname=<fqdn> where <FQDN> is the fully qualified domain name of your Web server. Note: If your machine is known by multiple names on the network, you can put multiple dnsname entries into the certificate, separated by a space. This allows a single certificate to be used for all instances. 17 Proceed to the below procedure: To enroll for the Web server certificate using Security Provider on page Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

33 To enroll for the Web server certificate using Security Provider 1 Open the Microsoft Management Console: a Click Start > Run. b Enter mmc and click OK. The console appears. 2 From the console, click File > Add/Remove Snap-in. The Add/Remove Snap-in dialog box appears. Preparing for installation 33

34 3 From the Standalone tab, click Add. The Add Standalone Snap-in dialog box appears. 34 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

35 4 Select Entrust Computer Digital ID from the snap-in list, and click Add. The Select Computer dialog box appears. Preparing for installation 35

36 5 Select Local computer and click Finish. 6 Click Close to close the Add Standalone Snap-in dialog box. 7 Click OK on the Add/Remove Snap-in dialog box. The console reappears with the Entrust Computer Digital ID snap-in listed. 36 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

37 8 From the left pane of the console, right-click Entrust Computer Digital ID and select Enroll Computer for Entrust Digital ID. The Welcome to the Enroll Computer for Entrust Digital ID Wizard appears. 9 Click Next. The Specify the activation codes screen appears. Preparing for installation 37

38 10 Enter the reference number and authorization code you obtained in Step 12 on page 30 into the respective fields and click Next. Security Provider contacts the Entrust Managed Services PKI Certification Authority (CA) and, when successful, displays the Confirm Entrust Digital ID Enrollment screen. 38 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

39 11 Click Next. A security warning may appear advising you that you are about to install a certificate issued from the Entrust Managed Services PKI Certification Authority (CA). Preparing for installation 39

40 12 Click Yes to install the certificate. The Completing the Enroll Computer for Entrust Digital ID Wizard screen appears. 40 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

41 13 Click Finish. You successfully enrolled your Web server certificate. Preparing for installation 41

42 Step 3: Assigning the certificate to your Web server Complete the following procedure to assign the SSL certificate to your Web server. To assign the certificate to your Web server 1 Click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager. The Internet Information Services (IIS) Manager appears. 2 In the left pane, expand <x> (local computer) and then expand the Web Sites folder, where <x> is the name of your computer. (In the screenshot above, the computer is named TEST.) 3 Right-click the Web site your want to configure for SSL (for example, Default Web Site) and select Properties. The <x> Properties dialog box appears, where <x> is the name of the Web site you selected to configure. 42 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

43 4 Click the Directory Security tab. The Directory Security tab appears. Preparing for installation 43

44 5 In the Secure communications section, click Server Certificate. The Welcome to the Web Server Certificate Wizard wizard appears. 44 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

45 6 Click Next. The Server Certificate screen appears. Preparing for installation 45

46 7 Select Assign an existing certificate and click Next. The Available Certificates screen appears. 46 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

47 8 Select the certificate you created for your Web server and click Next. The SSL Port screen appears. Preparing for installation 47

48 9 Accept the default SSL port 443 and click Next. The Certificate Summary screen appears. 48 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

49 10 Verify everything is correct and click Next. The Completing the Web Server Certificate Wizard screen appears. Preparing for installation 49

50 11 Click Finish. You successfully assigned your SSL Web server certificate in Microsoft IIS. 50 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

51 Step 4: Enabling SSL on your Web server You must enable SSL encryption on your Microsoft IIS Web server to secure the connection between the browser on the machine Security Provider is installed and Auto-enrollment Server. When configuring your Web server, it is advised that you do the following: Enforce 128-bit encryption for browsers accessing your Microsoft IIS Web Server. Enable server SSL authentication so that only the client checks the server s Web certificate but there is no mutual authentication The following procedure describes how to enable SSL on Microsoft IIS Web server 6.0. For all other versions, follow the instructions provided in your Microsoft IIS Web server documentation. Note: Restart your Microsoft IIS Web server after enabling it for SSL. To enable SSL on Microsoft IIS Web Server Click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager. The Internet Information Services (IIS) Manager appears. Preparing for installation 51

52 2 In the left pane, expand <x> (local computer) and then expand the Web Sites folder, where <x> is the name of your computer. (In the screenshot above, the computer is named TEST.) 3 Right-click the Web site your want to configure for SSL (for example, Default Web Site) and select Properties. The <x> Properties dialog box appears, where <x> is the name of the Web site you selected to configure. 4 Click the Directory Security tab. The Directory Security tab appears. 52 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

53 5 In the Secure communications section, click Edit. The Secure Communication dialog box appears. Preparing for installation 53

54 6 Select the following: Require secure channel (SSL) Require 128-bit encryption Note: Ensure Ignore client certificates is selected. 7 Click OK. The Directory Security tab reappears. 8 Click OK. The Inheritance Overrides dialog box appears. 54 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

55 9 Click OK. You successfully enabled SSL on your Web server. 10 Restart your Web server: a Click Start > All Programs > Administrative Tools > Services. b From the main pane, select IIS Admin Service. c Click the Restart the service link. Preparing for installation 55

56 Step 5: Configuring integrated Windows authentication After configuring SSL on your Web Server, you must configure integrated Windows authentication. If you do not configure integrated Windows authentication, an Entrust Entelligence Security Provider for Windows user cannot enroll for a certificate. To configure integrated Windows authentication 1 Click Start > All Programs > Administrative Tools > Internet Information Services (IIS) Manager. The Internet Information Services (IIS) Manager appears. 2 In the left pane, expand <x> (local computer) and then expand the Web Sites folder, where <x> is the name of your computer. (In the screenshot above, the computer is named TEST.) 3 Right-click the Web site you configured for SSL (for example, Default Web Site) and select Properties. The <x> Properties dialog box appears, where <x> is the name of the Web site you are configuring for integrated Windows authentication. 56 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

57 4 Click the Directory Security tab. The Directory Security tab appears. Preparing for installation 57

58 5 In the Authentication and access control section, click Edit. The Authentication Methods dialog box appears. 58 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

59 6 In the Authenticated Access section, select Integrated Windows authentication. 7 Click OK to close the Authentication Methods dialog box. 8 Click OK to close the Internet Information Services (IIS) Manager dialog box. You successfully configured integrated Windows authentication. Preparing for installation 59

60 Step 6: Testing the SSL-enabled Web server To ensure that your Web server has been installed and configured properly, test the SSL connection between the Microsoft IIS Web server and a Security Provider for Windows client browser. To test the Web Server From your Security Provider for Windows client, visit your sample Web site using https in the URL instead of http. If your sample Web site appears, your Web server and SSL are running properly. Your Web browser should indicate a secure connection by displaying a solid key or lock icon. Figure 3: SSL lock icon in Internet Explorer Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

61 Step 7: Obtaining a certificate for Auto-enrollment Server Before starting the Auto-enrollment Server installation process, you must obtain a certificate for Auto-enrollment Server. The certificate: verifies signatures establishes SSL connections signs XAP requests for the XAP Server signs files that are used by the User Registration Service (URS) To obtain a certificate for Auto-enrollment server, you must first create an account for the certificate in Administration Services and then enroll for the certificate using Security Provider. Complete the following procedures, in order: To create an account for Auto-enrollment Server in Administration Services on page 61 To enroll for the Auto-enrollment Server certificate on page 65 Note: If you have more than one Auto-enrollment Server machine, it is recommended that you create a separate account for each server. To create an account for Auto-enrollment Server in Administration Services 1 Log in to Administration Services. See To log in to Administration Services on page 24 for more information. Preparing for installation 61

62 The main page appears. 2 Click Create Account under Account Tasks in the main pane or under Tasks in the left-hand menu. The initial Create Account page appears. 62 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

63 3 From the User Type drop-down list, select Person. 4 From the Certificate Type drop-down list, select Enterprise - Admin Services User Registration. 5 Click Submit. A second Create Account page appears where you provide the account name and other information. Preparing for installation 63

64 6 From the User Information section: a b In the First Name field, enter a first name for your Auto-enrollment Server account (for example, AES). In the Last Name field, enter any name (for example; User registration. 7 Leave the and Notification fields empty. 8 From the Group Membership section, select the member option. If no groups are configured, only the default group appears. 9 From the Role section, select the custom role Entrust created for you from the drop-down list (for example; <organization name> User Registration, where <organization name> is the name of your company or organization. 10 From the Location section, click Select the searchbase and select your company name from the drop-down list (an entry for your organization was created in the directory when you signed up for Entrust Managed Services PKI). This specifies where to add the Web server account in the Administration Services LDAP directory. 11 Click Submit. The Create Account - Complete page appears. 64 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

65 12 Securely record the reference number and authorization code. You need these activation codes later during enrollment. 13 Proceed to the below procedure: To enroll for the Auto-enrollment Server certificate on page 65. To enroll for the Auto-enrollment Server certificate 1 Right-click the Security Provider icon ( ) from your task bar, and select Enroll for Entrust Digital ID. The Enroll for Entrust Digital ID Wizard appears. Preparing for installation 65

66 2 Click Next. The Specify your activation codes screen appears. 66 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

67 3 Enter the reference number and authorization code you received in Step 12 on page 65 and click Next. Security Provider attempts to contact the Entrust Managed Services PKI Certification Authority (CA) and, when successful, displays the Confirm Entrust Digital ID Enrollment screen. Preparing for installation 67

68 4 Click Next. The Entrust Security Store Location dialog box appears. 68 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

69 5 Select a location on your machine for the security store, which stores the certificate, and click Next. The default location is C:\Documents and Settings\Administrator\Application Data\Entrust Security Store. Note: If the folder does not exist, a dialog box appears asking if you want to create the location. Select Yes or No. The Entrust Security Store Name dialog box appears. Preparing for installation 69

70 6 Enter a name for your certificate (.epf file) and click Next. (For example, AESUserReg). The Entrust Security Store Password dialog box appears. 70 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

71 7 Enter a password for your certificate, following the rules listed. The red x icons turn to green check marks as you satisfy the requirements. Preparing for installation 71

72 8 Click Finish. The Completing the Enroll for Entrust Digital ID Wizard appears. 9 Click Finish. You successfully obtained a certificate for Auto-enrollment Server and completed all the pre-installation tasks. 72 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

73 3 Installing Auto-enrollment Server This chapter describes the steps required to install and configure the Auto-enrollment Server installation. This chapter includes: Installing Auto-enrollment Server on page 74 Checking the Auto-enrollment Server installation on page 86 What you should have from Entrust for the installation of Auto-enrollment Server Ensure you have all the items listed in the table below. If you do not, contact Entrust Managed Services PKI. Table 2: Install check list Item Have it? Credentials to access Entrust TrustedCare ( which allows you to download purchased software and related documentation The entrust.ini file, which is needed for the installation of Auto-enrollment Server. 73

74 Installing Auto-enrollment Server The InstallShield Auto-enrollment Services Wizard installs and configures all of the Auto-enrollment Server components. Once you have successfully run the wizard, there are no other mandatory configuration steps. Complete the following procedures to download Auto-enrollment Service from Entrust TrustedCare and to install the product: To download Auto-enrollment Server from Entrust TrustedCare on page 74 To install Auto-enrollment Services on page 74 To download Auto-enrollment Server from Entrust TrustedCare 1 Log in to Entrust TrustedCare at with your credentials. 2 Locate the Entrust Authority Auto-enrollment Server product and select the latest release (for example, 7.0). 3 From the Entrust Entelligence Auto-enrollment Server <version> download page page, download the product zip under the Software heading. Attention: Check to see if there are Service Packs and/or Patches first. If there are, download the latest pack or patch instead. 4 Extract the zip file. You successfully downloaded Auto-enrollment Server from Entrust TrustedCare. To install Auto-enrollment Services 1 Open the Auto-enrollment folder you extracted in Step 4 on page 74, and double-click the AES_<version>_win.exe file, where <version> is the most recent version of Auto-enrollment Server (for example, 7.0). The install wizard appears. 74 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

75 2 Click Next. The license agreement screen appears. Installing Auto-enrollment Server 75

76 3 Select I accept the terms of the license agreement and click Next. Note: If you do not accept the terms, you cannot proceed with the installation. The install location screen appears. 76 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

77 4 Browse for a location to install Auto-enrollment Server and click Next. The default location is C:\Program Files\Entrust\AutoEnrollmentServices. The entrust.ini location screen appears. Installing Auto-enrollment Server 77

78 . 5 Specify the name and path to the entrust.ini file, which was provided to you by Entrust representative, and click Next. The Auto-enrollment Server certificate (.epf) location screen appears. 78 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

79 6 Specify the name and path to the Auto-enrollment certificate you created in To enroll for the Auto-enrollment Server certificate on page 65 and click Next. You selected the path in Step 5 on page 69 and the name of the.epf file in the following step (for example: C:\Documents and Settings\Administrator\Application Data\Entrust Security Store\AESUserReg.epf.) The Auto-enrollment Server certificate (.epf) password screen appears. Installing Auto-enrollment Server 79

80 7 Enter the password for the Auto-enrollment Server certificate (.epf) you created in To enroll for the Auto-enrollment Server certificate on page 65 and click Next. You selected this password in Step 7 on page 71. The Web server instance screen appears. 80 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

81 8 Select your Web site from the available list to host your Auto-enrollment Server application, and click Next. The Active Directory for credential storage screen appears. Installing Auto-enrollment Server 81

82 9 Select No and click Next. The Active Directory as certificate repository screen appears. 82 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

83 10 Select No and click Next. The summary screen appears. Installing Auto-enrollment Server 83

84 11 Read the information provided in the summary information page and click Next. After a few moments, the wizard completes the install of Auto-enrollment Server. 84 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

85 12 Click Finish to exit the wizard. You successfully installed Auto-enrollment Server. Installing Auto-enrollment Server 85

86 Checking the Auto-enrollment Server installation After you have completed the Auto-enrollment Server installation, you may want to verify the following: Verify adminservice.log file on page 86 Verify the Web server is passing requests to Auto-enrollment Server on page 86 Verify installation log file on page 87 Verify configuration log file on page 87 Verify adminservice.log file The adminservice.log is the administration log file and displays Auto-enrollment Server information and errors. After installing Auto-enrollment Server, manually restart Auto-enrollment Server in Windows Services. The following event appears in the adminservices.log when services start successfully, without any errors: [ :24: ][DEBUG]UserRegistrationService][URSExtension.ini][][] Completed URS init To verify the adminservice.log file 1 Click Start > All Programs > Administrative Tools > Services. 2 Select Entrust Authority (TM) Auto-enrollment Server from the list of services and click Restart the service. 3 Once restarted, wait a few moments and open the adminservice.log file in a text editor, such as Notepad. The log is located in the following directory <install_directory>\autoenrollmentservices\logs\ where <install_directory> is the location of your Auto-enrollment Server install. By default, the install location is: C:\Program Files\Entrust\. Refer to the section Logging configuration on page 110 for detailed information on the administration log file. Verify the Web server is passing requests to Auto-enrollment Server After you have completed the Auto-enrollment Server installation, you should verify that the Microsoft IIS Web Server is properly passing requests on to the Auto-enrollment Server. 86 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

87 To verify the Microsoft IIS Web Server is passing requests to Auto-enrollment Server 1 Open a browser on the machine with your Web server installed and enter the following URL: where <FQDN> is the fully qualified domain domain of the server (for example, test.dev.ad.entrust.com). The following information should appear: SSL should be enabled an error specifying that a GET request was sent to Auto-enrollment Server Verify installation log file The installation log file can be used for information purposes or to diagnose installation related problems. The installer logs the following information: detects environment information (for example, free space in temp directory) any warnings that were issued and bypassed by the person installing the software actions performed (for example, files copied,.jar files created, and so on) error information InstallShield standard logging information (for example, extracting the JVM, evaluating conditions on whether or not to run an action) Once the installation completes, the installation log file appears in the following location: <install_directory>\autoenrollmentservices\logs\autoenrollments ervices_installer.log Verify configuration log file The configuration log file can be used for information purposes or to diagnose configuration related problems. The configuration logs the following information: auto-detected environment information answers to questions that the person installing the software provided actions performed (for example, files copied, configuration changed, and so on) detailed error information warnings Installing Auto-enrollment Server 87

88 Once the installation completes, the configuration log file appears in the following location: <install_directory>\autoenrollmentservices\logs\autoenrollments ervices_configuration.log 88 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

89 4 Customizing the Auto-enrollment Server You can configure the Auto-enrollment Server by modifying the ae-config.xml and ae-defaults.xml files. Note: For any changes to take effect, you must restart the Entrust Authority Auto-enrollment Service in Windows Services. This chapter describes how to customize Auto-enrollment Server: Customizing the certificate type and user role on page 91 Customizing certificate lifetimes on page 96 Customizing a user s Distinguished Name (DN) on page 97 Customizing a search base for enrolling clients on page 98 Configuring the DNS name on page 99 89

90 What you should have from Entrust for Auto-enrollment Server customizations Ensure you have all the item listed in the table below. If you do not, contact Entrust Managed Services PKI. Table 3: Auto-enrollment Server check list Item Have it? Entrust Managed Services PKI Welcome letter. Specifically the names of your certificate type for users and computers roles for users and computers search base for enrolling clients 90 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

91 Customizing the certificate type and user role Auto-enrollment Server settings can be used to choose a specific role and certificate type for users or computers. You can choose to keep the defaults or configure new defaults for your users and computers that are auto-enrolling. Note: If you need to change a user or computer s certificate type or role after they auto-enrolled and are in the added state in Administration Services, you must manually configure a new certificate type and role. Configuring a default certificate type Auto-enrollment Server uses a default certificate type for users and computers. <User>ent_default</User> The default certificate type for users. <Machine>ent_default</Machine> The default certificate type for computers. To configure a new default certificate type, complete the following procedure. To configure a new default certificate type 1 Open the ae-defaults.xml file in a text editor, such as Notepad: <install_location>\autoenrollmentservices\config <install_location> is the location of the Auto-enrollment Server install. By default, the install location is C:\Program Files\Entrust. 2 Locate the following section of code: <!-- Default cert types for user or computer auto-enrollments, for clients that send no <CertTypeInfo> in their auto-enrollment request --> <DefaultCertType> <User>ent_default</User> <Machine>ent_default</Machine> </DefaultCertType> 3 Replace one or both of the default certificate type settings with the certificate types listed in your Entrust Managed Services PKI Welcome letter: <User>ent_default</User> <Machine>ent_default</Machine> Some examples of valid certificate types are: Customizing the Auto-enrollment Server 91

92 ent_twokeypair two key pair user (encryption and verification) ent_nonrepud three key pair user with non-repudiation key pair (encryption, verification, and non-repudiation) ent_efs three key pair user with EFS key pair (encryption, verification, and encryption file system (EFS)) ent_nonrepud_and_efs four key pair user with Nonrepudiation and EFS Key Pairs (encryption, verification, nonrepudiation, and EFS) ent_skp_dualusage one dual usage key pair (dual usage) 4 Save the file. 5 Restart Auto-enrollment Server services in Windows Services. Configuring a default User Role The Auto-enrollment Server has a default role for your users and computers. <User>End User</User> The default user role. <Machine>End User</Machine> The default computer role. To configure a new default role, complete the following procedure. Note: The administrator must have permission to administer the roles that you configure. To configure a new default role 1 Open the ae-defaults.xml file in a text editor, such as Notepad: <install_location>\autoenrollmentservices\config <install_location> is the location of the Auto-enrollment Server install. By default, the install location is C:\Program Files\Entrust. 2 Locate the following section of code: <!-- Default roles for user or computer auto-enrollments, for clients that send no <CertTypeInfo> in their auto-enrollment request --> <DefaultRole> <User>End User</User> <Machine>End User</Machine> </DefaultRole> 92 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

93 3 Replace the default role settings with the roles listed in your Entrust Managed Services PKI Welcome letter: <User>End User</User> and/or <Machine>End User</Machine> Some examples of valid roles are: Security Officer Administrator Directory Administrator Auditor Self-Administration Server Administrator End User Note: Entrust may have created some custom roles for you. If you are unaware of the custom roles assigned, contact your Entrust representative. 4 Save the file. 5 Restart Auto-enrollment Server services in Windows Services. Configuring the client information setting Auto-enrollment Server has a client information setting that controls the assignment of the certificate type and user role when Security Provider auto-enrolls/recovers. The client information setting is an arbitrary string that must match the string that is sent by Security Provider. The arbitrary string is configured in the Windows Registry on the machine that has Security Provider installed: AutoEnrollUserDigitalIDType arbitrary string used for user auto-enrollment/recovery AutoEnrollMachineDigitalIDType arbitrary string used for computer auto-enrollment/recovery Auto-enrollment Server takes this string and assigns a certificate type and role to Security Provider. The Auto-enrollment Server administrator must be allowed to administer users that have these roles, otherwise the enrollment will fail. For example, if the user is assigned the Security Officer role and the Auto-enrollment administrator cannot administer users with the Security Officer role, the enrollment will fail. Auto-enrollment Server has a client information string that you can configure for users and computers. To configure a new client string, complete the following procedure. Customizing the Auto-enrollment Server 93

94 To configure a new client string 1 Open the ae-defaults.xml file in a text editor, such as Notepad: <install_location>\autoenrollmentservices\config <install_location> is the location of the Auto-enrollment Server install. By default, the install location is C:\Program Files\Entrust. 2 Locate the following section of code: <!-- CertTypeInfo controls the assignment of certificate type and user role when a client enrolls. Edit as required. ClientInfo strings are arbitrary but must match the string that the client sends. If a ClientInfo string is repeated, AE uses the first encountered. AE server assigns a <CertType> and <Role> to a client that sends a particular <ClientInfo> string. The AE Server admin must be allowed to administer users that have these roles; otherwise enrollment will fail. --> <CertTypeInfo> <ClientRequest> <ClientInfo>some_clients_send_this_string</ClientInfo> <CertType>ent_default</CertType> <Role>End User</Role> </ClientRequest> <ClientRequest> <ClientInfo>other_clients_send_this_different_string</ClientInfo> <CertType>ent_skp_dualusage</CertType> <Role>Server Login</Role> </ClientRequest> </CertTypeInfo> Security Provider sends a client request to Auto-enrollment Server. The request contains an arbitrary string that was configured in the AutoEnrollUserDigitalIDType Windows registry on the machine that has Security Provider installed. In this case, the Security Provider registry setting is AutoEnrollUserDigitalIDType=some_clients_send_this_string Auto-enrollment Server looks to see if this matches the arbitrary string in the <ClientInfo> tags. In this code example, the <ClientInfo> tags in the do contain the same string: <ClientInfo>some_clients_send_this_string</ClientInfo> 3 Change the <CertType> and <Role> as required. 94 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

95 Auto-enrollment Server reads the <CertType> and <Role> tags to determine which certificate type and role to use for the auto-enrollment. In this code example, the <CertType> is ent-default and the <Role> is End User. Note: If the string sent in the Security Provider request does not match a string in any of the <ClientInfo> tags, an error is logged and returned to the client. The default certificate type and role are used when the client does not send any <ClientInfo> string at all, or no <ClientTypeInfo> is configured at the server. 4 Save the file. 5 Restart Auto-enrollment Server services in Windows Services. Customizing the Auto-enrollment Server 95

96 Customizing certificate lifetimes You can configure the ae-defaults.xml file to set certificate lifetimes for users or computers. You can choose to keep the defaults or configure new defaults for your users and computers that are auto-enrolling. Note: The certificate lifetimes settings in the <CertificatePolicy> section override the default certificate lifetime settings in the CA. To use the default settings, delete or comment out the settings in the <CertificatePolicy> section. To configure the certificate lifetimes, complete the following procedure. To configure certificate lifetimes 1 Open the ae-defaults.xml file in a text editor, such as Notepad: <install_location>\autoenrollmentservices\config <install_location> is the location of the Auto-enrollment Server install. By default, the install location is C:\Program Files\Entrust. 2 Locate the following section of code: <!-- Example of a CertificatePolicy. Edit as required, or remove it to get default policy associated with the user Role. --> <CertificatePolicy> <EncLifetime>36</EncLifetime> <VerLifetime>36</VerLifetime> <SignLifePercentage>70</SignLifePercentage> </CertificatePolicy> 3 To change the lifetime (in months) of encryption certificates, change the <EncLifetime> value. You can specify a value between 2 and 420 months (35 years). 4 To change the lifetime (in months) of vertification certificates, change the <VerLifetime> value. You can specify a value between 2 and 420 months (35 years). 5 To change the percentage of the signing private key lifetime, which determines when a user s key pair requires updating, change the <SignLifePercentage> value. You can specify a value from 1 to 100 (percent). 6 Save the file. 7 Restart Auto-enrollment Server services in Windows Services. 96 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

97 Customizing a user s Distinguished Name (DN) Auto-enrollment Server uses the DN builder implementation (DistinguishedNameBuilderImpl) by default, to automatically create a user s or computer s distinguished name (DN), common name (CN), and surname from the information in the Security Provider request. If you are using a Microsoft Active Directory as your certificate repository, the default DistinguishedNameBuilderImpl attempts to read the client s distinguished name (DN), common name (CN), surname, address, and UPN from that directory. The default DistinguishedNameBuilderImpl builds a distinguished name (DN) for Security Provider by using the following: common name (cn) client s authenticated Windows account name surname Windows domain search bases uses the search bases that are configured in the ae-defaults.xml file The default also sets a dnsname as a subjectaltname extension for computer enrollments. In addition, it sets an othername as a subjectaltname extension if the client machine is a domain controller. The othername has the domain controller GUID. The default does not set a subjectaltname extension for user enrollments, unless you are using Active Directory as the certificate repository. However, there is sample code that you can use to customize the DN builder implementation to set a subjectaltname. If you are using Active Directory as the repository for user or machine enrollments, the default DistinguishedNameBuilderImpl reads the client s address and UPN from the directory and sets them into the subjectaltname extension. Note: If you need to change a user or computer s DN after they have auto-enrolled and are in the Added state in Administration Services, you must manually configure a new DN. Refer to Appendix A Writing your own DN Builder implementation code on page 131 for further information about the code that you can use to create your own DN builder implementation. Customizing the Auto-enrollment Server 97

98 Customizing a search base for enrolling clients Security Provider is enrolled on the search bases that are set for users or machines in the <DNBuilderSearchBase> setting in the ae-defaults.xml file. If no search bases are provided, the client is enrolled on the search base where the Auto-enrollment Server administrator resides. However, with Active Directory the client s account is already in the directory and the enrollment uses that DN, instead of the <DNBuilderSearchBase> setting. Consult your Entrust Managed Services PKI Welcome letter for more information. Note: If you need to change a user or computer s search base after they have auto-enrolled and are in the Added state in Administration Services, you must manually configure a new search base. Complete the following procedure to configure the search base value. To configure the search base value 1 Open the ae-defaults.xml file in a text editor, such as Notepad: <install_location>\autoenrollmentservices\config <install_location> is the location of the Auto-enrollment Server install. By default, the install location is C:\Program Files\Entrust. 2 Locate the following section of code: <!-- The search base under which clients will be enrolled. This is optional. If you omit it, the CA search base will be used. --> <DNBuilderSearchBase> <User></User> <Machine></Machine> </DNBuilderSearchBase> 3 To configure a search base for users, add your search base value to the <User> setting. computers, add a search base value to the <Machine> setting. Attention: The <User> and <Machine> settings are not used if Active Directory is the certificate repository. These settings may be used if Active Directory is the Windows account repository. 4 Save the file. 5 Restart Auto-enrollment Server services in Windows Services. 98 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

99 Configuring the DNS name Auto-enrollment Server attempts to locate a Domain Name System (dnsname) for the auto-enrollment. If the dnsname lookup fails, as a back up you can configure a setting so that Auto-enrollment Server knows what dnsname to assign to authenticated clients from a particular Windows domain. Complete the following procedure to configure the dnsname. To configure the DNS name 1 Open the ae-defaults.xml file in a text editor, such as Notepad: <install_location>\autoenrollmentservices\config <install_location> is the location of the Auto-enrollment Server install. By default, the install location is C:\Program Files\Entrust. 2 Locate the following section of code: <!-- List of accepted clients --> <DomainList> <Domain> <Windows>Your_Windows_domain_name</Windows> <DNS>Your_DNS_name</DNS> </Domain> </DomainList> 3 Change the value in the <DNS>Your_DNS_name</DNS> setting to reflect your organization s dnsname domain value. In the example below, the domain is example_hq but the dnsname is example.com. The ae-defaults.xml file can be customized to always map example_hq to example.com: <!-- List of accepted clients --> <DomainList> <Domain> <Windows>example_hq</Windows> <DNS>example.com</DNS> </Domain> </DomainList> 4 Save the file. 5 Restart Auto-enrollment Server services in Windows Services. Customizing the Auto-enrollment Server 99

100 100 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

101 5 Configuring queuing Queuing is an optional feature of Auto-enrollment Server. The main purpose of queuing is to allow an Auto-enrollment Server administrator to approve or reject auto-enrollment/recovery requests. If you opted for the queuing feature, it was automatically added by Entrust as a permission to the role you selected when you created the Auto-enrollment Server certificate ( Step 7: Obtaining a certificate for Auto-enrollment Server on page 61). If you desire this feature at a later time, contact your Entrust representative. When your organization wants to use queuing, you must configure all of the following: Enabling queuing in Auto-enrollment Server on page 102 Approving or rejecting requests in Administration Services on page

102 Enabling queuing in Auto-enrollment Server To enable queuing in Auto-enrollment Server, you must configure the ae-defaults.xml file. use the following two procedures to configure the Auto-enrollment Server s ae-defaults.xml file: Configuring the ae-defaults.xml file to queue requests on page 102 Configuring the queuing monitor on page 103 Configuring the ae-defaults.xml file to queue requests The default, queuing is disabled (NoQueue) in the ae-defaults.xml file. To enable queuing, you must change the NoQueue value to Force. Note: If Entrust has not configured the Auto-enrollment Services account role with the queue permission, setting the <Enroll> or <Recover> settings to Force will fail. Complete the following procedure to enable queuing in the ae-defaults.xml file. To enable queuing in the ae-defaults.xml file 1 On the machine with Auto-enrollment Server installed, open the ae-defaults.xml file in a text editor: <install_location>\autoenrollmentservices\config <install_location> is the location of the Auto-enrollment Server install. By default, the install location is C:\Program Files\Entrust. 2 Locate the following section of code in the ae-defaults.xml file: <!-- "Force"=queue the operation (fails if the URS admin's user role does not permit queuing) --> <!-- "NoQueue"=do not queue (fails if the URS admin's user role requires queuing) --> <QueueMode> <Enroll>NoQueue</Enroll> <Recover>NoQueue</Recover> </QueueMode> 3 Change the NoQueue value to Force in the <Enroll>NoQueue</Enroll> and/or <Recover>NoQueue</Recover> settings. 4 Save the changes to the ae-default.xml file. 5 Restart Auto-enrollment Server services in Windows Services for the changes to take effect: 102 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

103 a b Click Start > All Programs > Administrative Tools > Services. Select Entrust Authority (TM) Auto-enrollment Server from the list of services and click the Restart the service link. You successfully enabled queuing in the ae-defaults.xml file. Configuring the queuing monitor Auto-enrollment Server has a queuing monitor that fetches a list of queued requests. Auto-enrollment Server caches this list and uses it to determine if there have been any previous cancelled requests. Since identical requests are allowed to be queued after the administrator has cancelled the initial identical request, the queuing monitor solves this by preventing repeated identical requests from being forwarded. Requests that are queued are logged into the adminservices.log file when Auto-enrollment Server starts up or whenever the Auto-enrollment Server s queued request list cache is refreshed. The queued request list is cached for a configurable time interval, which is set using the <QueueRefreshTime> setting in the ae-defaults.xml file. The default <QueueRefreshTime> time interval is 1800 seconds (30 minutes). You cannot set the time interval to less than 10 seconds, as it impacts performance. If you attempt to do so, Auto-enrollment Server uses 10 seconds as the default in order to avoid a decline in performance. It is important that you configure the queued list to be fetched before Security Provider repeats the request. Security Provider uses the following settings to determine the interval at which it sends the auto-enrollment/recovery requests: CertUpdateInterval: The interval specified for the Digital ID Monitor, which requests the auto-enrollment/recovery for user digital IDs. MachineCertUpdateInterval. The interval specified for the Entrust Entelligence Machine Digital ID Service (EEMDIS), which requests the auto-enrollment/recovery for computer digital IDs. By default, the CertUpdateInterval and MachinCertUpdateInterval both perform auto-enrollment/recovery requests every 12 hours. These defaults are configurable in the Microsoft Windows Registry on the machine in which the Security Provider client is installed. See the Entrust Entelligence Security Provider for Windows Administration Guide for more information. Complete the following procedure if you want to change the default queue time interval. To configure the queuing monitor 1 On the machine with Auto-enrollment Server installed, open the ae-defaults.xml file in a text editor: <install_location>\autoenrollmentservices\config Configuring queuing 103

104 where <install_location> is the location of the Auto-enrollment Server install. By default, the install location is C:\Program Files\Entrust. 2 Locate the following section of code in the ae-defaults.xml file: <!-- The time interval at which AE Server fetches the request queue from the Security Manager (seconds). It must be smaller than the time between repeated requests from any one particular client. The ESP client default is 12 hours. --> <!-- This setting is not used unless QueueMode is set to 'Force'. --> <QueueRefreshTime>1800</QueueRefreshTime> 3 Change the QueueRefreshTime value to a value of your choosing, in seconds, in the <QueueValueRefreshTime>1800</QueueRefreshTime> setting. Attention: If you configure the <QueueRefreshTime> to fetch the list of queued requests too frequently, this will degrade the performance of your Auto-enrollment Server. 4 Save the changes to the ae-default.xml file. 5 Restart Auto-enrollment Server services in Windows Services for the changes to take effect: a Click Start > All Programs > Administrative Tools > Services. b Select Entrust Authority (TM) Auto-enrollment Server from the list of services and click the Restart the service link. You successfully configured the queuing monitor in the ae-defaults.xml file. 104 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

105 Approving or rejecting requests in Administration Services Once you have logged in to Administration Services using the Administrator Login, you can approve, cancel, or cancel and delete pending auto-enrollment/recovery requests. When an administrator Approves an auto-enrollment/recovery request, the request is submitted for processing. When the administrator s approval completes, authorization codes are sent to the Security Provider for Windows client. If the queue request requires approval by several administrators, the request remains queued until all administrators have approved the request. Cancels a queued auto-enrollment/recovery request, an identical request cannot be queued. Cancels and deletes a queued auto-enrollment/recovery request, a new identical request can be queued. To approve, cancel, or cancel and delete pending auto-enrollment/recovery request 1 Log in to Administration Services. See To log in to Administration Services on page 24 for more information Configuring queuing 105

106 the following page appears. 2 Click Approve Pending Requests in the left pane under Tasks, or from the main pain under Request Tasks. The Approve Pending Requests page displays, with a list of all requests that are currently in the queue. 3 To view detailed information on a request, click the request name. A new browser window opens with a list of relevant information on the request. 4 Select an auto-enrollment/recover request that you want to process. 5 Select one of the following actions for the chosen request: Approve Approving a request allows it to be submitted for processing. If the request needs approval by more than one administrator, the request is submitted for processing only after all administrators have approved the request. Cancel Cancelling a request removes the request from all Approve Pending Request pages. An identical request cannot be queued. Cancel and Delete 106 Auto-enrollment Server 7.0 Installation and Configuration Guide Document issue: 1.0

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates Entrust Managed Services Entrust Managed Services PKI Configuring secure LDAP with Domain Controller digital certificates Document issue: 1.0 Date of issue: October 2009 Copyright 2009 Entrust. All rights

More information

Entrust Managed Services PKI

Entrust Managed Services PKI Entrust Managed Services PKI Entrust Managed Services PKI Windows Smart Card Logon Configuration Guide Using Web-based applications Document issue: 1.0 Date of Issue: June 2009 Copyright 2009 Entrust.

More information

Entrust Managed Services PKI Administrator Guide

Entrust Managed Services PKI Administrator Guide Entrust Managed Services PKI Entrust Managed Services PKI Administrator Guide Document issue: 3.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or a registered

More information

Certificates for computers, Web servers, and Web browser users

Certificates for computers, Web servers, and Web browser users Entrust Managed Services PKI Certificates for computers, Web servers, and Web browser users Document issue: 3.0 Date of issue: June 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark

More information

Wavecrest Certificate

Wavecrest Certificate Wavecrest InstallationGuide Wavecrest Certificate www.wavecrest.net Copyright Copyright 1996-2015, Wavecrest Computing, Inc. All rights reserved. Use of this product and this manual is subject to license.

More information

Configuring Security Features of Session Recording

Configuring Security Features of Session Recording Configuring Security Features of Session Recording Summary This article provides information about the security features of Citrix Session Recording and outlines the process of configuring Session Recording

More information

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2. Entrust Managed Services PKI Getting an end-user Entrust certificate using Entrust Authority Administration Services Document issue: 2.0 Date of issue: June 2009 Revision information Table 1: Revisions

More information

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Copyright 2012 Trend Micro Incorporated. All rights reserved. Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,

More information

NSi Mobile Installation Guide. Version 6.2

NSi Mobile Installation Guide. Version 6.2 NSi Mobile Installation Guide Version 6.2 Revision History Version Date 1.0 October 2, 2012 2.0 September 18, 2013 2 CONTENTS TABLE OF CONTENTS PREFACE... 5 Purpose of this Document... 5 Version Compatibility...

More information

Configuration Guide. BES12 Cloud

Configuration Guide. BES12 Cloud Configuration Guide BES12 Cloud Published: 2016-04-08 SWD-20160408113328879 Contents About this guide... 6 Getting started... 7 Configuring BES12 for the first time...7 Administrator permissions you need

More information

Setting Up SSL on IIS6 for MEGA Advisor

Setting Up SSL on IIS6 for MEGA Advisor Setting Up SSL on IIS6 for MEGA Advisor Revised: July 5, 2012 Created: February 1, 2008 Author: Melinda BODROGI CONTENTS Contents... 2 Principle... 3 Requirements... 4 Install the certification authority

More information

Managed Services PKI 60-day Trial Quick Start Guide

Managed Services PKI 60-day Trial Quick Start Guide Entrust Managed Services PKI Managed Services PKI 60-day Trial Quick Start Guide Document issue: 3.0 Date of issue: Nov 2011 Copyright 2011 Entrust. All rights reserved. Entrust is a trademark or a registered

More information

ECA IIS Instructions. January 2005

ECA IIS Instructions. January 2005 ECA IIS Instructions January 2005 THIS PAGE INTENTIONALLY BLANK ECA IIS Instructions ii July 22, 2005 Table of Contents 1. Install Certificate in IIS 5.0... 1 2. Obtain and Install the ECA Root Certificate

More information

etoken Enterprise For: SSL SSL with etoken

etoken Enterprise For: SSL SSL with etoken etoken Enterprise For: SSL SSL with etoken System Requirements Windows 2000 Internet Explorer 5.0 and above Netscape 4.6 and above etoken R2 or Pro key Install etoken RTE Certificates from: (click on the

More information

RSA Security Analytics

RSA Security Analytics RSA Security Analytics Event Source Log Configuration Guide Microsoft Windows using Eventing Collection Last Modified: Thursday, July 30, 2015 Event Source Product Information: Vendor: Microsoft Event

More information

HTTP Server Setup for McAfee Endpoint Encryption (Formerly SafeBoot) Table of Contents

HTTP Server Setup for McAfee Endpoint Encryption (Formerly SafeBoot) Table of Contents Table of Contents Introduction... 1 Setting Up Endpoint Encryption s HTTP Server...2 How to trust Control Break as an CA... 20 Start Endpoint Encryption s HTTP Server service... 23 Verify Endpoint Encryption

More information

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved. Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,

More information

Using Entrust certificates with Microsoft Office and Windows

Using Entrust certificates with Microsoft Office and Windows Entrust Managed Services PKI Using Entrust certificates with Microsoft Office and Windows Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark

More information

Secure IIS Web Server with SSL

Secure IIS Web Server with SSL Secure IIS Web Server with SSL EventTracker v7.x Publication Date: Sep 30, 2014 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com Abstract The purpose of this document is to help

More information

ADFS Integration Guidelines

ADFS Integration Guidelines ADFS Integration Guidelines Version 1.6 updated March 13 th 2014 Table of contents About This Guide 3 Requirements 3 Part 1 Configure Marcombox in the ADFS Environment 4 Part 2 Add Relying Party in ADFS

More information

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014 DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014 Contents Overview... 2 System requirements:... 2 Before installing... 3 Download and installation... 3 Configure DESLock+ Enterprise Server...

More information

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector Installing and Configuring vcloud Connector vcloud Connector 2.7.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

Entrust Certificate Services for Adobe CDS

Entrust Certificate Services for Adobe CDS Entrust Certificate Services Entrust Certificate Services for Adobe CDS Getting Started Guide Entrust SafeNet Authentication Client: 8.3 Date of issue: July 2015 Document issue: 3.0 Revisions Issue and

More information

LifeSize Control Installation Guide

LifeSize Control Installation Guide LifeSize Control Installation Guide April 2005 Part Number 132-00001-001, Version 1.0 Copyright Notice Copyright 2005 LifeSize Communications. All rights reserved. LifeSize Communications has made every

More information

Sophos Anti-Virus for NetApp Storage Systems startup guide

Sophos Anti-Virus for NetApp Storage Systems startup guide Sophos Anti-Virus for NetApp Storage Systems startup guide Runs on Windows 2000 and later Product version: 1 Document date: April 2012 Contents 1 About this guide...3 2 About Sophos Anti-Virus for NetApp

More information

Avaya one X Portal 1.1.3 Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) Configuration

Avaya one X Portal 1.1.3 Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) Configuration Avaya one X Portal 1.1.3 Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) Configuration This document provides configuration steps for Avaya one X Portal s 1.1.3 communication

More information

WhatsUp Gold v16.3 Installation and Configuration Guide

WhatsUp Gold v16.3 Installation and Configuration Guide WhatsUp Gold v16.3 Installation and Configuration Guide Contents Installing and Configuring WhatsUp Gold using WhatsUp Setup Installation Overview... 1 Overview... 1 Security considerations... 2 Standard

More information

Connection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V

Connection Broker Managing User Connections to Workstations, Blades, VDI, and More. Quick Start with Microsoft Hyper-V Connection Broker Managing User Connections to Workstations, Blades, VDI, and More Quick Start with Microsoft Hyper-V Version 8.1 October 21, 2015 Contacting Leostream Leostream Corporation http://www.leostream.com

More information

WhatsUp Gold v16.2 Installation and Configuration Guide

WhatsUp Gold v16.2 Installation and Configuration Guide WhatsUp Gold v16.2 Installation and Configuration Guide Contents Installing and Configuring Ipswitch WhatsUp Gold v16.2 using WhatsUp Setup Installing WhatsUp Gold using WhatsUp Setup... 1 Security guidelines

More information

Installation Guide. SafeNet Authentication Service

Installation Guide. SafeNet Authentication Service SafeNet Authentication Service Installation Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information

More information

Entrust Managed Services PKI Administrator s Quick Start Guide

Entrust Managed Services PKI Administrator s Quick Start Guide Entrust Managed Services PKI Administrator s Quick Start Guide Each Managed Services PKI organization requires an administrator also known as a local registration authority (LRA) whose duty it is to manage

More information

Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles

Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles Appendix 1 Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles This section explains how you use the Cloud Management Suite installation wizard for the following purposes: To

More information

Using Entrust certificates with VPN

Using Entrust certificates with VPN Entrust Managed Services PKI Using Entrust certificates with VPN Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or a registered trademark

More information

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication

Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication Authentication in XenMobile 8.6 with a Focus on Client Certificate Authentication Authentication is about security and user experience and balancing the two goals. This document describes the authentication

More information

WhatsUp Gold v16.1 Installation and Configuration Guide

WhatsUp Gold v16.1 Installation and Configuration Guide WhatsUp Gold v16.1 Installation and Configuration Guide Contents Installing and Configuring Ipswitch WhatsUp Gold v16.1 using WhatsUp Setup Installing WhatsUp Gold using WhatsUp Setup... 1 Security guidelines

More information

Installation Guide for Pulse on Windows Server 2012

Installation Guide for Pulse on Windows Server 2012 MadCap Software Installation Guide for Pulse on Windows Server 2012 Pulse Copyright 2014 MadCap Software. All rights reserved. Information in this document is subject to change without notice. The software

More information

F-Secure Messaging Security Gateway. Deployment Guide

F-Secure Messaging Security Gateway. Deployment Guide F-Secure Messaging Security Gateway Deployment Guide TOC F-Secure Messaging Security Gateway Contents Chapter 1: Deploying F-Secure Messaging Security Gateway...3 1.1 The typical product deployment model...4

More information

LAB 1: Installing Active Directory Federation Services

LAB 1: Installing Active Directory Federation Services LAB 1: Installing Active Directory Federation Services Contents Lab: Installing and Configuring Active Directory Federation Services... 2 Exercise 1: installing and configuring Active Directory Federation

More information

Installation Guide for Pulse on Windows Server 2008R2

Installation Guide for Pulse on Windows Server 2008R2 MadCap Software Installation Guide for Pulse on Windows Server 2008R2 Pulse Copyright 2014 MadCap Software. All rights reserved. Information in this document is subject to change without notice. The software

More information

Aventail Connect Client with Smart Tunneling

Aventail Connect Client with Smart Tunneling Aventail Connect Client with Smart Tunneling User s Guide Windows v8.7.0 1996-2006 Aventail Corporation. All rights reserved. Aventail, Aventail Cache Control, Aventail Connect, Aventail Connect Mobile,

More information

HOTPin Integration Guide: DirectAccess

HOTPin Integration Guide: DirectAccess 1 HOTPin Integration Guide: DirectAccess Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; Celestix assumes no responsibility

More information

QUANTIFY INSTALLATION GUIDE

QUANTIFY INSTALLATION GUIDE QUANTIFY INSTALLATION GUIDE Thank you for putting your trust in Avontus! This guide reviews the process of installing Quantify software. For Quantify system requirement information, please refer to the

More information

Installation and Configuration Guide

Installation and Configuration Guide Installation and Configuration Guide BlackBerry Resource Kit for BlackBerry Enterprise Service 10 Version 10.2 Published: 2015-11-12 SWD-20151112124827386 Contents Overview: BlackBerry Enterprise Service

More information

Outlook Web Access Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate

Outlook Web Access Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate Outlook Web Access Guide to Installing Root Certificates, Generating CSR and Installing SSL Certificate Copyright. All rights reserved. Trustis Limited Building 273 New Greenham Park Greenham Common Thatcham

More information

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer.

More information

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication Certificate Based 2010 Integration VASCO Data Security. Guideline All rights reserved. Page 1 of 31 Disclaimer Disclaimer of

More information

Desktop Surveillance Help

Desktop Surveillance Help Desktop Surveillance Help Table of Contents About... 9 What s New... 10 System Requirements... 11 Updating from Desktop Surveillance 2.6 to Desktop Surveillance 3.2... 13 Program Structure... 14 Getting

More information

Carillon eshop User s Guide

Carillon eshop User s Guide Carillon eshop User s Guide Prepared by: Carillon Information Security, Inc. Version: 3.0 Updated on: 2015-01-29 Status: PUBLIC Contents Carillon eshop User Guide 1 Introduction... 4 1.1 Prerequisites...

More information

CA NetQoS Performance Center

CA NetQoS Performance Center CA NetQoS Performance Center Install and Configure SSL for Windows Server 2008 Release 6.1 (and service packs) This Documentation, which includes embedded help systems and electronically distributed materials,

More information

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014 S/MIME on Good for Enterprise MS Online Certificate Status Protocol Installation and Configuration Notes Updated: October 08, 2014 Installing the Online Responder service... 1 Preparing the environment...

More information

Web Deployment on Windows 2012 Server. Updated: August 28, 2013

Web Deployment on Windows 2012 Server. Updated: August 28, 2013 Web Deployment on Windows 2012 Server Updated: August 28, 2013 Table of Contents Install IIS on Windows 2012... 3 Install Sage 300 ERP...16 Create Web Deployment User...17 Sage 300 ERP Services...22 Web

More information

System Administration Training Guide. S100 Installation and Site Management

System Administration Training Guide. S100 Installation and Site Management System Administration Training Guide S100 Installation and Site Management Table of contents System Requirements for Acumatica ERP 4.2... 5 Learning Objects:... 5 Web Browser... 5 Server Software... 5

More information

SMART Vantage. Installation guide

SMART Vantage. Installation guide SMART Vantage Installation guide Product registration If you register your SMART product, we ll notify you of new features and software upgrades. Register online at smarttech.com/registration. Keep the

More information

Advanced Administration

Advanced Administration BlackBerry Enterprise Service 10 BlackBerry Device Service Version: 10.2 Advanced Administration Guide Published: 2014-09-10 SWD-20140909133530796 Contents 1 Introduction...11 About this guide...12 What

More information

Aspera Connect User Guide

Aspera Connect User Guide Aspera Connect User Guide Windows XP/2003/Vista/2008/7 Browser: Firefox 2+, IE 6+ Version 2.3.1 Chapter 1 Chapter 2 Introduction Setting Up 2.1 Installation 2.2 Configure the Network Environment 2.3 Connect

More information

Certificate Request Generation and Certificate Installation Instructions for IIS 5 April 14, 2006

Certificate Request Generation and Certificate Installation Instructions for IIS 5 April 14, 2006 Certificate Request Generation and Certificate Installation Instructions for IIS 5 April 14, 2006 1 1. Generating the Certificate Request In this procedure, you will use the Internet Information Services

More information

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

Step By Step Guide: Demonstrate DirectAccess in a Test Lab Step By Step Guide: Demonstrate DirectAccess in a Test Lab Microsoft Corporation Published: May 2009 Updated: October 2009 Abstract DirectAccess is a new feature in the Windows 7 and Windows Server 2008

More information

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Sharp Remote Device Manager (SRDM) Server Software Setup Guide Sharp Remote Device Manager (SRDM) Server Software Setup Guide This Guide explains how to install the software which is required in order to use Sharp Remote Device Manager (SRDM). SRDM is a web-based

More information

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner

More information

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector Installing and Configuring vcloud Connector vcloud Connector 2.0.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

Using etoken for Securing E-mails Using Outlook and Outlook Express

Using etoken for Securing E-mails Using Outlook and Outlook Express Using etoken for Securing E-mails Using Outlook and Outlook Express Lesson 15 April 2004 etoken Certification Course Securing Email Using Certificates Unprotected emails can be easily read and/or altered

More information

Sophos for Microsoft SharePoint startup guide

Sophos for Microsoft SharePoint startup guide Sophos for Microsoft SharePoint startup guide Product version: 2.0 Document date: March 2011 Contents 1 About this guide...3 2 About Sophos for Microsoft SharePoint...3 3 System requirements...3 4 Planning

More information

Parallels Mac Management for Microsoft SCCM 2012

Parallels Mac Management for Microsoft SCCM 2012 Parallels Mac Management for Microsoft SCCM 2012 Administrator's Guide v3.0 Copyright 1999-2014 Parallels IP Holdings GmbH and its affiliates. All rights reserved. Parallels IP Holdings GmbH Vordergasse

More information

Cloud Services ADM. Agent Deployment Guide

Cloud Services ADM. Agent Deployment Guide Cloud Services ADM Agent Deployment Guide 10/15/2014 CONTENTS System Requirements... 1 Hardware Requirements... 1 Installation... 2 SQL Connection... 4 AD Mgmt Agent... 5 MMC... 7 Service... 8 License

More information

MadCap Software. Upgrading Guide. Pulse

MadCap Software. Upgrading Guide. Pulse MadCap Software Upgrading Guide Pulse Copyright 2014 MadCap Software. All rights reserved. Information in this document is subject to change without notice. The software described in this document is furnished

More information

Step-by-Step Guide for Setting Up VPN-based Remote Access in a

Step-by-Step Guide for Setting Up VPN-based Remote Access in a Page 1 of 41 TechNet Home > Products & Technologies > Server Operating Systems > Windows Server 2003 > Networking and Communications Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test

More information

Tharo Systems, Inc. 2866 Nationwide Parkway P.O. Box 798 Brunswick, OH 44212 USA Tel: 330.273.4408 Fax: 330.225.0099

Tharo Systems, Inc. 2866 Nationwide Parkway P.O. Box 798 Brunswick, OH 44212 USA Tel: 330.273.4408 Fax: 330.225.0099 Introduction EASYLABEL 6 has several new features for saving the history of label formats. This history can include information about when label formats were edited and printed. In order to save this history,

More information

WHITE PAPER Citrix Secure Gateway Startup Guide

WHITE PAPER Citrix Secure Gateway Startup Guide WHITE PAPER Citrix Secure Gateway Startup Guide www.citrix.com Contents Introduction... 2 What you will need... 2 Preparing the environment for Secure Gateway... 2 Installing a CA using Windows Server

More information

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication

More information

AVG Business SSO Connecting to Active Directory

AVG Business SSO Connecting to Active Directory AVG Business SSO Connecting to Active Directory Contents AVG Business SSO Connecting to Active Directory... 1 Selecting an identity repository and using Active Directory... 3 Installing Business SSO cloud

More information

XenClient Enterprise Synchronizer Installation Guide

XenClient Enterprise Synchronizer Installation Guide XenClient Enterprise Synchronizer Installation Guide Version 5.1.0 March 26, 2014 Table of Contents About this Guide...3 Hardware, Software and Browser Requirements...3 BIOS Settings...4 Adding Hyper-V

More information

SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date 19.05.2010 Version V1.0

SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date 19.05.2010 Version V1.0 SECO Whitepaper SuisseID Smart Card Logon Configuration Guide Prepared for SECO Publish Date 19.05.2010 Version V1.0 Prepared by Martin Sieber (Microsoft) Contributors Kunal Kodkani (Microsoft) Template

More information

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2 Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2 Last revised: November 12, 2014 Table of Contents Table of Contents... 2 I. Introduction... 4 A. ASP.NET Website... 4 B.

More information

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide This document is intended to help you get started using WebSpy Vantage Ultimate and the Web Module. For more detailed information, please see

More information

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3) Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3) Manual installation of agents and importing the SCOM certificate to the servers to be monitored:

More information

SonicWALL SSL VPN 3.5: Virtual Assist

SonicWALL SSL VPN 3.5: Virtual Assist SonicWALL SSL VPN 3.5: Virtual Assist Document Scope This document describes how to use the SonicWALL Virtual Assist add-on for SonicWALL SSL VPN security appliances. This document contains the following

More information

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and 2012. October 2013

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and 2012. October 2013 Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and 2012 October 2013 This is a publication of Sage Software, Inc. Document version: October 17, 2013 Copyright

More information

HTTP communication between Symantec Enterprise Vault and Clearwell E- Discovery

HTTP communication between Symantec Enterprise Vault and Clearwell E- Discovery Securing HTTP communication between Symantec Enterprise Vault and Clearwell E- Discovery Requesting and Applying an SSL Certificate to secure communication ion from Clearwell E-Discovery to Enterprise

More information

http://docs.trendmicro.com

http://docs.trendmicro.com Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the product, please review the readme files,

More information

Content Filtering Client Policy & Reporting Administrator s Guide

Content Filtering Client Policy & Reporting Administrator s Guide Content Filtering Client Policy & Reporting Administrator s Guide Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION: A CAUTION

More information

Installing Management Applications on VNX for File

Installing Management Applications on VNX for File EMC VNX Series Release 8.1 Installing Management Applications on VNX for File P/N 300-015-111 Rev 01 EMC Corporation Corporate Headquarters: Hopkinton, MA 01748-9103 1-508-435-1000 www.emc.com Copyright

More information

Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide

Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide Microsoft Corporation Published: May 2010 Abstract This guide describes the steps for configuring Remote Desktop Connection

More information

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0 Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust

More information

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide c623242f-20f0-40fe-b5c1-8412a094fdc7 Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide Microsoft Corporation Published: June 2009 Updated: April 2010 Abstract

More information

Sage 200 Web Time & Expenses Guide

Sage 200 Web Time & Expenses Guide Sage 200 Web Time & Expenses Guide Sage (UK) Limited Copyright Statement Sage (UK) Limited, 2006. All rights reserved If this documentation includes advice or information relating to any matter other than

More information

Upgrading from Call Center Reporting to Reporting for Contact Center. BCM Contact Center

Upgrading from Call Center Reporting to Reporting for Contact Center. BCM Contact Center Upgrading from Call Center Reporting to Reporting for Contact Center BCM Contact Center Document Number: NN40010-400 Document Status: Standard Document Version: 02.00 Date: June 2006 Copyright Nortel Networks

More information

Dial-up Installation for CWOPA Users (Windows Operating System)

Dial-up Installation for CWOPA Users (Windows Operating System) Dial-up Installation for CWOPA Users (Windows Operating System) 1 Table of Contents Download and Install Digital Certificates... 3 Internet Explorer 8/9 Certificate Installation.3 Windows XP Instructions

More information

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0 Sophos Anti-Virus for NetApp Storage Systems user guide Product version: 3.0 Document date: May 2014 Contents 1 About this guide...3 2 About Sophos Anti-Virus for NetApp Storage Systems...4 3 System requirements...5

More information

NETASQ SSO Agent Installation and deployment

NETASQ SSO Agent Installation and deployment NETASQ SSO Agent Installation and deployment Document version: 1.3 Reference: naentno_sso_agent Page 1 / 20 Copyright NETASQ 2013 General information 3 Principle 3 Requirements 3 Active Directory user

More information

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

SafeGuard Enterprise Web Helpdesk. Product version: 6.1 SafeGuard Enterprise Web Helpdesk Product version: 6.1 Document date: February 2014 Contents 1 SafeGuard web-based Challenge/Response...3 2 Scope of Web Helpdesk...4 3 Installation...5 4 Allow Web Helpdesk

More information

Skyward LDAP Launch Kit Table of Contents

Skyward LDAP Launch Kit Table of Contents 04.30.2015 Table of Contents What is LDAP and what is it used for?... 3 Can Cloud Hosted (ISCorp) Customers use LDAP?... 3 What is Advanced LDAP?... 3 Does LDAP support single sign-on?... 4 How do I know

More information

Kaseya Server Instal ation User Guide June 6, 2008

Kaseya Server Instal ation User Guide June 6, 2008 Kaseya Server Installation User Guide June 6, 2008 About Kaseya Kaseya is a global provider of IT automation software for IT Solution Providers and Public and Private Sector IT organizations. Kaseya's

More information

DriveLock Quick Start Guide

DriveLock Quick Start Guide Be secure in less than 4 hours CenterTools Software GmbH 2012 Copyright Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise

More information

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network

Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network How To Use 802.1x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to Make a Secure Network Introduction This document describes how to create a secure LAN, using two servers and an 802.1xcompatible

More information

Sophos Mobile Control Installation guide. Product version: 3.5

Sophos Mobile Control Installation guide. Product version: 3.5 Sophos Mobile Control Installation guide Product version: 3.5 Document date: July 2013 Contents 1 Introduction...3 2 The Sophos Mobile Control server...4 3 Set up Sophos Mobile Control...10 4 External

More information

Installing Policy Patrol on a separate machine

Installing Policy Patrol on a separate machine Policy Patrol 3.0 technical documentation July 23, 2004 Installing Policy Patrol on a separate machine If you have Microsoft Exchange Server 2000 or 2003 it is recommended to install Policy Patrol on the

More information

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO Contents Overview...1 System requirements...1 Enterprise Server:...1 Client PCs:...1 Section 1: Before installing...1 Section 2: Download

More information

Integrating WebSphere Portal V8.0 with Business Process Manager V8.0

Integrating WebSphere Portal V8.0 with Business Process Manager V8.0 2012 Integrating WebSphere Portal V8.0 with Business Process Manager V8.0 WebSphere Portal & BPM Services [Page 2 of 51] CONTENTS CONTENTS... 2 1. DOCUMENT INFORMATION... 4 1.1 1.2 2. INTRODUCTION... 5

More information

Reference and Troubleshooting: FTP, IIS, and Firewall Information

Reference and Troubleshooting: FTP, IIS, and Firewall Information APPENDIXC Reference and Troubleshooting: FTP, IIS, and Firewall Information Although Cisco VXC Manager automatically installs and configures everything you need for use with respect to FTP, IIS, and the

More information

ATT8367-Novell GroupWise 2014 and the Directory Labs

ATT8367-Novell GroupWise 2014 and the Directory Labs ATT8367-Novell GroupWise 2014 and the Directory Labs ATT8367 Novell Training Services AUTHORIZED COURSEWARE www.novell.com Legal Notices Novell, Inc., makes no representations or warranties with respect

More information