Embed Size (px)
Citation preview
Tivoli® Public Key Infrastructure�����
����� 3 ���� 7.1SH88-8501-01
(Q865'SH09-4529-03)
Tivoli® Public Key Infrastructure�����
����� 3 ���� 7.1SH88-8501-01
(Q865'SH09-4529-03)
4mU!
\q"*hS\q,5]<H9k=Jr4HQKJk0K"XC-v`YK"klL*Jpsr,:*I_/@5$#
\^Ke"kKX9k4U+d46[O"!N URL +i*wj/@5$##eN2MK5;F$?@-^9#
http://www.ibm.com/jp/manuals/main/mail.html
J*"|\ IBM /TN^Ke"kO$s?<MCHP3Gb4X~$?@1^9#\7/O
http://www.ibm.com/jp/manuals/ NV4m8KD$FWr4w/@5$#
(URL O"Q9KJklg,"j^9)
!6 5' SH09-4529-03
Tivoli® Public Key Infrastructure
Configuration Guide
Version 3 Release 7.1
!/ T' |\"$&S<&(`t0qR
!4 v' J7gJk&is2<8&5]<H
h1~ 2001.9
3N8qGO"?.@+N™W3"?.@+N™W9"?.Q47C/N™W3"?.Q47C/N™W5"*hS?.Q47C
/N™W7rHQ7F$^9#3N (qN*) O"(b) |\,J(qHHQ@sryk7HQ7F$kbNG9#U)sHH
7F5G#=9k3HOX_5lF$^9#
�* �����™W3������™W9���������™W3���������™W5���������™W7
© Copyright IBM Japan 2001
Tivoli Public Key Infrastructure =.,$I
xn"=(
Copyright © 2001 by Tivoli Systems Inc., an IBM Company (\q*hS9YFNV=UH&'"Wr^`#) All rights
reserved. Tivoli Systems Software License Agreement"IBM Wm0i`N4HQrob7/OHQ@sro^?O3liK
P9k Tivoli =JNi$;s9psb7/OC'K-\NroK7?,CFN_"3N8qrHQ9k3H,G-^9#
$+JkA0^?OjJ (ER*"!#*"'$*"wX*"JX*"j0^?O=N>NA0&jJr^`#) G"CF
b"Tivoli Systems RNqLKhkv0NvzJ7K"\qN$+Jkt,b"#="w."#L"!w79F`XN-
?"^?O$UN3sTe<?<@lXNQ9rT&3HOG-^;s# Tivoli Systems RO"*RM4+H,HQ9k
\*GO<I3T<^?O!#DID=J8qN#=*rn.9k)B5l?"xrvz7^9,"=N#=*KO9Y
F"Tivoli Systems RNxn"=(rU9kbNH7^9#xn"KpE/=N>N"xO"Tivoli Systems RNqLKh
kv0NvzJ7KU?5lk3HO"j^;s#3N8qO"8:*JHQrU^7F*i:"$+Jk]ZbJ7K
Cj*H7F=89k^^NuVGs!5l^9#
3N8qKO"&J-N]Z"Cj\*,g-N]Z*hS!'eNlS4]U$r^a"$+Jk]Zb,Q5l^;
s#
iiiTivoli PKI =.,$I
&8
J<O Tivoli Systems Inc. ^?O IBM N&8G9# AIX"DB2"DB2 Universal Database"IBM"RS/6000"
SecureWay"Tivoli"WebSphere#
Tivoli PKI Wm0i` (VWm0i`W) KO"IBM WebSphere Application Server *hS IBM HTTP Web Server (J
<"VIBM 5<P<WH$$^9#) Nlt,^^lF$^9# VWm0i`WNHQi$;s9J7GVIBM
ServersWr$s9H<k7?jHQ7?j9k3HOvD5lF$^;s#VIBM ServersWOVWm0i`WH18^7
seKJ1lPJi:"VIBM ServersWrVWm0i`WHOLDK$s9H<k7?jHQ7?j9k3HOvD5l
F$^;s#
3NVWm0i`WKO"DB2 fKP<5k&G<?Y<9N3s]<MsH,^^lF$^9#*RMO"3liN3
s]<MsHr*RM,HQ"r-9kVWm0i`W*hS WebSphere Application Server G"HQb7/O8.5l
kG<?N]I*hSI}N?aKVWm0i`W*hS WebSphere Application Server H&KHQ9klgKBj3~
*hSHQ9k3H,G-^9,">NG<?I}N?aKHQ9k3HOG-^;s#?H(P"3Ni$;s9K
O"Hq^?Ol]<H8.QN>N"Wj1<7gs+iNG<?Y<9XN$sP&sI\3O^^lF$^;s#
=liN3s]<MsHr$s9H<k7FHQ9k3HO"VWm0i`W,"klg"+D=lH18^7sGN_
vD5l^9#
Microsoft"Windows"Windows NT *hS Windows m4O"Microsoft Corporation NFq*hS=N>NqK*1k&8
G9#
UNIX O"The Open Group ,i$;s97F$kFq*hS=N>NqK*1kP?&8G9#
Java *hS9YFN Java X"N&8*hSm4O"Sun Microsystems, Inc NFq*hS=N>NqK*1k&8^?O
P?&8G9#
Pentium O"Intel Corporation NFq*hS=N>NqK*1k&8G9#
3NVWm0i`WKO"RSA Data Security, Inc. N;-ejF#<&=UH&'",^^lF$^9#
Copyright © 1994 RSA Data Security, Inc. All rights reserved.
3NWm0i`KO"Hewlett Packard Company N Standard Template Library (STL) =UH&'",^^lF$^9#
Copyright (c) 1994.
¶ e-Nxn"=(,9YFN3T<K=(5l"=Nxn"=(H3NvDLN,5]<H7F$k8qK=(5lk
lg"$+Jk\*Gb3N=UH&'"NHQ"3T<"Q9"Nd"*hS8q=r5AGT&3H,G-^9#
Hewlett-Packard Company O"$+Jk\*Gb"3N=UH&'"N,g-KD$FRYF$^;s#3N=UH&
'"O"@N^?OE[N]ZJ7G"=uN^^s!5lF$^9#
3NWm0i`KO"Silicon Graphics Computer Systems, Inc. N Standard Template Library (STL) =UH&'",^^l
F$^9# Copyright (c) 1996-1999.
¶ e-Nxn"=(,9YFN3T<K=(5l"=Nxn"=(H3NvDLN,5]<H7F$k8qK=(5lk
lg"$+Jk\*Gb3N=UH&'"NHQ"3T<"Q9"Nd"*hS8q=r5AGT&3H,G-^9#
Silicon Graphics O"$+Jk\*Gb"3N=UH&'"N,g-KD$FRYF$^;s#3N=UH&'"O"
@N^?OE[N]ZJ7G"=uN^^s!5lF$^9#
>NqR>"=J>*hS5<S9>JIO=l>lFRN&8^?OP?&8G9#
iv P<8gs 3 jj<9 7.1
C-v`
\qK*$F"Tivoli Systems ^?O IBM =J"Wm0i`"^?O5<S9KD$F@Z^?Ob@9klg,"j^
9#7+7"3N3HO"Tivoli Systems ^?O IBM ,DHrTCF$k9YFNqK*$F3Nh&J=J"Wm0i
`"^?O5<S9,xQD=G"k3Hr,:7b(9bNGO"j^;s#\qG3liN=J"Wm0i`"^?
O5<S9K@Z7F$kt,,"CFb"3N3HO Tivoli Systems ^?O IBM =J"Wm0i`"^?O5<S9
N_,HQD=G"k3HrU#9kbNGO"j^;s#3liN=J"Wm0i`"^?O5<S9Ke(F"Tivoli
Systems ^?O IBM N-zJN*j-"^?O=N>N!*K]n5l?"xK>$"!=*K1yN=J"Wm0i
`"^?O5<S9rHQ9k3H,G-^9#?@7"Tivoli Systems ^?O IBM KhCF@(*KXj5l?bNr
|-">RN=JHH_go;?lgN`nN>AH!ZO*RMNU$GTCF$?@-^9#
Tivoli Systems ^?O IBM O"\qGb@9kCv" (CvPjfNbNr^`) rj-7F$klg,"j^9#\q
Ns!O"*RMK3liNCv"KD$FB\"rvz9k3HrU#9kbNGO"j^;s#HQvzKD$F
O"<-N8hKqLKF4Hq/@5$#
)106-0032 l~TAh;\Z 3 z\ 2-31AP vHjIBM World Trade Asia CorporationIntellectual Property Law & Licensing
J<N]ZO"q^?OOhN!'KhoJ$lgO",Q5l^;s#
IBM *hS=N>\^?OV\NRqRO"\qrCj*H7F=89k^^NuVGs!7"&J-N]Z"Cj\*
,g-N]Z*hS!'eNlS4]U$r^`9YFN@(b7/O[(N]ZU$rioJ$bNH7^9# q^?
OOhKhCFO"!'N/T,jKhj"]ZU$N)B,X8ilklg"/T,jN)Bru1kbNH7^9#
IBM O=pJ7K"o~"3N8qK-\5lF$k=J^?OWm0i`KP7F"~I^?OQ9rT&3H,"j
^9#
\qK*$F IBM J0N Web 5$HK@Z7F$klg,"j^9,"X9N?a-\7?@1G"j"h7F=li
N Web 5$Hrd)9kbNGO"j^;s# =liN Web 5$HK"kqAO"3N IBM =JNqANltGO
"j^;s#=liN Web 5$HO"*RMNU$G4HQ/@5$#
vTivoli PKI =.,$I
vi P<8gs 3 jj<9 7.1
��
^(,- . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
\qNP]IT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
X"ps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
\qNbF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
\qN=-,' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
+9?^<&5]<HHN"m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Tivoli PKI Web ps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
h1O Tivoli PKI KD$F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
h2O 5W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
h3O =.nH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
=.N`w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
o</9F<7gsN;CH"CW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
=.G<?N}8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
79F`N=. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
;CH"CW&<INBT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
AIX eGN CfgStart NBT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Windows NT eGN CfgStart NBT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
=.G<?N$s]<H. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
jb<H&5<P<N;CH"CW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
{8N Directory NHQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
PKI 0-N!)lYkNQ9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
PKI /i9XN0-NIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
~OKhk DN NXj. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
DN (G#?<NHQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
=.aC;<8N=( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
=.N!:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
B0N?aN`w. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
;CH"CW&<Ir;-e"K9k. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
AIX GN Directory vDNQ9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5<P<&Q9o<INQ9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
=.U!$kNT8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
P?TN'D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Tivoli PKI 79F`NPC/"CW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
DN K@p-r?(k?aN Directory NQ9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
77$ LDAP \xtN?aN ACL NQ9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
P?Ia$sN+9?^$: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
79F`NF=.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
viiTivoli PKI =.,$I
||
||
||
||
||
||
||
||
||
||
||
||
||
||
Tivoli PKI H Policy Director N;Q. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Tivoli PKI N"s$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
AIX +iN"s$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Windows NT +iN"s$s9H<k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
h4O ps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
F:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
'ZI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
DB2 G<?Y<9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Directory Dj< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
k<H DN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Directory I}T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
PKIX CMP \3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
P?Ia$s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
SSL \3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Web 5<P< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
4758 3Wm;C5< . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
h5O jU!ls9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
O0*W7gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
$s]<HN*W7gs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
CA *hSF:5<P<N*W7gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
CA 0*W7gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Directory 5<P<N*W7gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Directory k<HN*W7gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Directory I}TN*W7gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
P?Ia$sN*W7gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
xQ Web 5<P<N*W7gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
;-e" Web 5<P<N*W7gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
RA *W7gs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
=.N^Ha . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
=.G<?N]I. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
=.Wm;9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
^&9&"/7gsKP~9k-<\<I`n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
FqlKX9kM8v`. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Ql8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
wz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
viii P<8gs 3 jj<9 7.1
||
||
||
����
\qO";CH"CW&<IrHCF"D-Kgo;F Tivoli PKI r=.9k}!r
b@7F$^9#
3Njj<9N=JG5]<H5lF$kNO AIX WiCHU)<`@1G9# Microsoft
Windows KX9kb@O9YF5k7F/@5$#
�������\qO"79F`I}T~1K"Tivoli PKI N=.KX9knH\LNpsrs!7^9#
\qNf<6<O"J0KMCHo</D-G=Jr$s9H<k*hS=.7?P3,J1
lPJj^;s#J<N50KX9k-YJN1,,WG9#
¶ O<I&'"N$s9H<kH=.#
¶ $s?<MCHL.HWmH3k#CK TCP/IP H SSL (Secure Sockets Layer)#
¶ Web 5<P<I}#
¶ PKI (Public Key Infrastructure) F/Nm8<# Directory 9-<^"X.509 P<8gs 3
8`"*hS Lightweight Directory Access Protocol (LDAP) r^`#
¶ jl<7gJk&G<?Y<9&79F`#CK IBM DB2 fKP<5k&G<?Y<
9#
����Tivoli PKI N=JqAO" Tivoli N Web 5$H+i" Portable Document Format (PDF) A
0NbNH HTML A0NbNr~jG-^9#ltNqAN HTML P<8gsO=JH&
K$s9H<k5lF*j"f<6<&$s?<U'<9+i"/;9G-^9#
=JO"qA,PG5lF+iQ95lF$klg,"kNGmU7F/@5$#G7N=J
ps"*hS*r7?@l*hSA0NqAK"/;99k}!KD$FO"VRelease
NotesWr2H7F/@5$#G7NVRelease NotesWO"J<K(9Tivoli Public Key
Infrastructure Web 5$H+i~jG-^9#
http://www.tivoli.com/support
Tivoli PKI i$Vij<KO!N8q,^^l^9#
9?<H"CW&,$I
3NqAO"=JN5Wr(7^9#=JWorj9H7"$s9H<kjg"*h
SF=J3s]<MsH4HKHQD=J*si$s&XkWK"/;99k}!K
D$FN\Yrb@7^9#3NqAOu~5lF=JHloK[[5lF$^9#
79F`I},$I
3NqAKO"Tivoli PKI 79F`NI}KD$FNlLps,-\5lF$^9#
3lKO"5<P<N+O*hSd_"Q9o<INQ9"5<P<&3s]<Ms
HNI}"F:NBT"*hSG<?]4-!:NBTNjg,^^lF$^9#
=.,$I
3NqAKO";CH"CW&<IrHCF Tivoli PKI 79F`r=.9k}
ixTivoli PKI =.,$I
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
!,G\5lF$^9#<IN*si$s&XkWr=(7J,i"3N,$
IN HTML P<8gsK"/;9G-^9#
P?IG9/HCW&,$I
3NqAKO"Z@qNi$U&5$/krL8F"RA DesktoprHCFZ@qrI
}9k}!,-\5lF$^9#G9/HCWN*si$s&XkWr=(7J,
i"3N,$IN HTML P<8gsK"/;9G-^9#
f<6<:&,$I
3NqAKO"Z@qrh@7FI}9k}!,-\5lF$^9# Tivoli PKI Vi
&6<NP?U)<`rHQ7FZ@qNWa"97"*hShjC7rT&?aN
jg,b@5lF$^9#^?"PKIX `rNZ@qNv0P?rT&}!KD$F
bb@7F$^9#
Customization Guide3NqAKO"f<6<NH3}KKhC?P?*hSZ@N\*Kg&h&"Tivoli
PKI P?!=r+9?^$:9k}!,-\5lF$^9#?H(P" HTML *h
S Java® Server Z<8"LNl?<"Z@qWmU!$k"]j7<P}r+9?^
$:9k}!,-\5lF$^9#
�����\qNbFO!NH*jG9#
¶ 1Z<8NXTivoli PKI KD$FYGO"Tivoli PKI N!=H=OrJ1Kb@7^9#
¶ 3Z<8NX5WYGO"\qNH$}rb@7^9#
¶ 5Z<8NX=.nHYGO"Tivoli PKI r=.9k?aNpsrnH\LGb@7^
9#
¶ 35Z<8NXpsYGO"Tivoli PKI N!=NlLpsH"=.N,WJ3s]<MsH
N\Ypsrb@7^9#
¶ 43Z<8NXjU!ls9YGO"Tivoli PKI ;CH"CW&<IrBT9kH-
KXjG-kMrb@7^9#
¶ 57Z<8NXQl8YGO"\qGHolF$k77$QldJ8_NJ$Ql"=#r
z/HM(ilkQlKD$F"Ql*hSJ,ArjA7F$^9#
�������\qGO"ClJQld"/7gsr=9?aK5^6^J=-,',HQ5lF$^9#=
-,'NU#O"!NH*jG9#
,' U#
@z3^sI"-<o<I"Ui0JIN"=NLjK~O7J1lPJiJ$ps
O@zG(7^9#
$?jC/Xj7J1lPJiJ$Qt"*hS7,NQlO$?jC/ G(7^9#/
4lgb$?jC/ G(7^9#
bN9Z<9 3<Ic"PO"79F`&aC;<8O������&U)sHG(7^9#
x P<8gs 3 jj<9 7.1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|||
|||
|||
������������qA*hS+9?^<&5]<HKD$FODH4vwK*d$go;/@5$#
Tivoli PKI Web ��Tivoli *hS IBM Tivoli N*RMO""ifk Tivoli ;-ejF#<=JH Tivoli PKI K
X9k*si$spsr!wG-^9#
=JKC(il?G7N97v`KX9kEWJpsd5<S9ps"*hS Tivoli PKI K
D$F4YkKO"^:J<N Web 5$Hr4w/@5$#
http://www.tivoli.com/support/secure_download_bridge.html
Tivoli Public Key Infrastructure =JKD$FO"J<N Web 5$Hr4w/@5$#
http://www.tivoli.com/products/index/secureway_public_key/
>N Tivoli ;-ejF#<I}=JKD$FO"J<N Web "Il9K"/;97F/@
5$#
http://www.tivoli.com/products/solutions/security/
xiTivoli PKI =.,$I
|
|
|
|
|
|
|
|
|
|
|
|
|
xii P<8gs 3 jj<9 7.1
Tivoli PKI ��
Tivoli Public Key Infrastructure (PKI) O""Wj1<7gsK*$Ff<6<r'Z7".j
N*1k (Hi9FCI) L.r]Z9k3HrD=K7^9#
¶ 5^6^JH%K*$F"P?*hSZ@N}KKhC?G#8?kZ@qN/T"QV
jC7s0"*hSI}rD=K7^9#
¶ Public Key Infrastructure for X.509 P<8gs 3 (PKIX) H Common Data Security
Architecture (CDSA) NEf=,JN5]<HKhj"Ys@<j_?Q,D=G9#
¶ G#8?kp>*hS;-e"&WmH3kKhj"His6/7gsN4X8Tr'Z
9kjJ,s!5l^9#
¶ Vi&6<&Y<9NP?!=Khj"bYJ@p-,B=5lF$^9#
¶ L.NEf=HP?psN;-e"J]I}!Khj"!)-,b^j^9#
Tivoli PKI 79F`O"IBM AIX/6000 *hS Microsoft Windows NT 5<P<&WiCHU
)<`GBTG-^9# =NgJ!=O"<-NH*jG9#
¶ .j-Nb$'ZI (CA) Khj"G#8?k'ZNi$U&5$/k,I}5l^9#
Z@qN'Z-rN'9k?a"CA GO/T9kZ@q4HKG#8?kp>rU1^
9#5iK"Z@q,5zKJC?3HrN'9kZ@qhjC7j9H (CRL) Kbp
>rU1^9#p>0r5iK/OK]n9k?aKO"IBM 4758 PCI Ef3Wm;C
5<JINEfQO<I&'" (O<I&'"&;-ejF#<&b8e<k (HSM) H
b@&) rHQ9k3HbG-^9#
¶ P?I (RA) O"f<6<P?NI}Q?9/rh}7^9# RA O"H3h0r5]<
H9kZ@q@1,vDf<6<KP7FN_/T5lkh&K7^9#I}Q?9/
O"+0=Wm;9KhCFh}7?jMV,hjr<7?j7Fh}9k3H,G-^
9#
CA NlgH1M"RA Np>0r]n9k?aK IBM 4758 PCI Ef3Wm;C5<r
HQG-^9#
¶ Web Y<9NP?$s?<U'<9Khj"Vi&6<"5<P<"*hS=N>N\*
(>[d_MCHo</ (VPN) GP$9"9^<H&+<I"*hSERa<kJI) N
?aNZ@qrFWK~jG-^9#
¶ Web Y<9NI}$s?<U'<9G"k RA Desktop Khj"vDru1?P?T
O"P?War5'^?Oq]7?jZ@q/TeKZ@qrI}7?jG-^9#
¶ F:5V79F`O"FF:l3<I4HKaC;<8N'3<I (MAC) rW;7^
9#F:G<?,F:G<?Y<9Kq-~^l?eG=NF:G<?,Q95l?jo
|5l?j7?H-K"MAC KhCF[o,!P5l^9#
1
1Tivoli PKI =.,$I
|
|
|
|
|
|
|
|
1.T
ivoli
PK
I�
�
¶ ]j7<P}k<AsHS8M9&Wm;9&*V8'/H (BPO) Khj""Wj1<
7gs+/TOP?Wm;9r+9?^$:G-^9#
¶ Ef(s8sN?aN}g5]<H#L.r'Z9k?a"Tivoli PKI N3"&3s]<
MsHKO8:~K8.5l?k)0Khjp>5l^9#0d MAC JIN;-ejF
#<&*V8'/HOEf=5l"KeyStore HFPlk-1]nhK]I5l^9#
¶ IBM Directory N?aN}g5]<H# Directory KO"LDAP `rNA0G-zJZ@
qHhjC5l?Z@qKD$FNps,-?5l^9#
¶ IBM WebSphere Application Server *hS IBM HTTP Server QN}g5]<H# Web
5<P<O RA 5<P<HN"HKhCF"aC;<8rEf=7?j"War'Z7?
j"Z@qr8hK>w7?j7^9#
¶ IBM DB2 fKP<5k&G<?Y<9N}g5]<H#
2 P<8gs 3 jj<9 7.1
��
Tivoli PKI =UH&'"r$s9H<k7?Ji";CH"CW&<IrBT7F"+
,ND-Kgo;F79F`r=.9k,W,"j^9#?H(P"[Jk5<P<&Wm0
i`,L.G-kh&K"$s9H<kljrXj9k,W,"j^9#
¶ X=.nHYHTC/O"1L> (DN) rjA9k}!"=.Wm;9r!:9k}!"
BT/D-QK79F`N`wr0(k}!JI"=.KX87?5^6^JnHKD$
F4YklgK*r7^9#
¶ XpsYHTC/O"79F`=.~K}r7F*/,WN"k50KD$F4Yklg
K*r7^9#?H(P"Tivoli PKI , Directory HPC9k}!rXs@j"EfO<
I&'"rHQ9k?aN,$Ii$srNk3H,G-^9#
¶ XjU!ls9YHTC/r*r9kH";CH"CW&<INBT~KXjG-
k"^?OXj9k,WN"kM,,+j^9#
79F`N=.nHrOak0K",:jj<9psrIsG"G7N=JpsKD$F4Y
F/@5$#G7NVRelease NotesWO"J<K(9 Tivoli Public Key Infrastructure Web 5
$H+i~jG-^9#
http://www.tivoli.com/support
2
3Tivoli PKI =.,$I
2.�
�
4 P<8gs 3 jj<9 7.1
����
3N;/7gsNFHTC/GO"Tivoli Public Key Infrastructure N=.}!rb@7^9#
lL*J?9/KO"!NbN,^^l^9#
¶ 79F`r=.9kNK,WJpsN}8
¶ 1L>(G#?<Khk DN NjA
¶ jb<H&^7sK*1k Tivoli PKI 5<P<*hSG<?Y<9N;CH"CW
¶ l"N=.Mr77$ Tivoli PKI 79F`K$s]<H9k
¶ 79F`,57/=.5lF$k+I&+N!:
79F`r=.7?Ji"77$ Tivoli PKI 79F`rB0b<IK9k3HKX9kXk
W&HTC/r4YF/@5$#=J=UH&'"N"s$s9H<kNjgbb@5lF$
^9#
�����Tivoli Public Key Infrastructure N=.rOak0K";CH"CW&<IrBTG-k
h&Ko</9F<7gs,57/_j5lF$k3HrN+ak,W,"j^9#^?";
CH"CW&<IG,ZJ~z,G-kh&K"D-KD$FNpsr}89k,Wb
"j^9#
=.Wm;9+ON`wr0(k?a"J<NFt,K(5lF$kXKr!$7F/@5
$#
���� ����������GINQU)<^s9r@kKO" Tivoli PKI 5<P<&^7sHOLN^7sG;CH"
CW&<IrBT9k,W,"j^9#=&9k3HKhj"GgBN79F`&j=
<9r"WlCHNBTK6j,1k3H,G-^9#
;CH"CW&<IrBT9kNKGcB,WJo</9F<7gs=.O"!NH*
jG9#
¶ *}^7s_jO!NH*jG9#
v Intel Pentium® Wm;C5<HGc 96 MB N RAM
v 65536 ' G 1024 x 768 JeNr|Yr5]<H9k3sTe<?<&bK?<
¶ Microsoft Windows 95"Windows 98"^?O Windows NT *Zl<F#s0&79F`
¶ JDK 1.1 Y<9N"WlCHr5]<H9k Web Vi&6<#!Nh&JbN,s2i
l^9#
v Netscape Navigator *hS Netscape Communicator (P<8gs 4.7x N_)
3
5Tivoli PKI =.,$I
|
|
3.�
��
�
m: Netscape Navigator *hS Netscape Communicator P<8gs 6 O";CH"C
W&<IG5]<H5lF$^;s#
v Microsoft Internet Explorer (P<8gs 5.0 J_)
Vi&6<KX9kM8v`
Netscape ^?O Microsoft +is!5lF$kVi&6<N*U#7ck&P<8g
sr$s9H<k7F/@5$#5<I&Q<F#<NYs@<+ih@7?P<8
gsO"CKQlJ0N@lG"WlCHrBT9k]K"psr57/=(7J$
lg,"j^9#
;CH"CW&<Ir Tivoli PKI 5<P<GBT9k,W,"j"+D3lr
Windows NT WiCHU)<`GBT9klgO" Microsoft Internet Explorer P<
8gs 5.0 J_rHQ7F/@5$# Netscape Vi&6<G"WlCHrHQ7?
lg"QU)<^s9,g}Kc<7^9#
Vi&6<, HTTP Wm-7<rHCF Tivoli PKI 5<P<K"/;99k3HN
J$h&K7F/@5$#
��������=.nHfK;CH"CW&<IO"7Z<8NXTivoli PKI =.G<?QfYK(9
psr~O9kh&WmsWHrP7^9#=.Wm;9N+O0K"3Npsr}87F*
/,W,"j^9#
#tN Tivoli PKI 5<P<r$s9H<k9klgO"3N=ru~7F,Wv`r-?9
kHh$G7g&#=Nh&K7F*/Ji"77$$s9H<k&79F`K$s]<H9
kCjN=.M;CHrFWKN'G-^9#
m: ;CH"CW&<IO"=.*W7gsN?/KGU)kHMrs!7^9#[H
sINlg"3liNMru1~lkHh$G7g&#Q9O"=N,W,"k3H,N
BJlgN_KTCF/@5$#
6 P<8gs 3 jj<9 7.1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Tivoli PKI �������
&#sI& b@ GU)kHM HQ9kM
=.G<?N$s]<H $s]<H9k=.G<?&
U!$kNU!$k>#
J7#
CA *hSF:5<P< 5<P<N>[[9H>^?
O IP "Il9#
CA 5<P<N04$~[9
H>
CA 5<P<N listen Q]<
H#
1830
F:5<P<N listen Q]
<H#
59998
CA N DN# /C=US/O=qR>/OU=Trust
Authority/CN=Trust Authority
CA
CA 0 CA p>"k4j:`# sha-1WithRSAEncryption ¶ sha-1WithRSAEncryption
¶ md5WithRSAEncryption
CA 0N5$:# 1024 ¶ 1024
3N CA G 4758 O<I&
'"rHQ7^9+?
$$( ¶ O$
¶ $$(
4758 O<I&'"rH&l
gN RSA 0N5$:#
1024 ¶ 512
¶ 768
¶ 1024
CA 0r 4758 O<I&'"
K>\]I7^9+?
$$( ¶ O$
¶ $$(
CA 4758 WmU!$kNQ
9o<I^?OQ9Ul<:
J7#
Directory 5<P< 5<P<N>[[9H>^?
O IP "Il9#
Directory 5<P<N04$
~[9H>
Directory WaN listen Q]
<H#
389
{8N Directory rH$^9
+?
$$( ¶ O$
¶ $$(
Directory 9-<`&P<8
gs 3 rHQ7^9+?
O$ ¶ O$
¶ $$(
Directory k<H DN Directory k<H DN# /C=US/O=qR>/OU=Trust
Authority/CN=Ldap Root DN
Directory k<HNQ9o<
I#
J7#J0K=N Directory
r$s9H<k7?lg"3
lO{8Nk<H&Q9o<
IKlW7F$J1lPJj
^;s#
Directory "I_K9Hl<
?<
Directory "I_K9Hl<
?<N DN#
/C=US/O=qR>/OU=Trust
Authority/CN=DirAdmin
Directory "I_K9Hl<
?<NQ9o<I#
J7#J0K=N Directory
r$s9H<k7?lg"3
lO"I_K9Hl<?<N
{8NQ9o<IKlW7F
$J1lPJj^;s#
Directory I}T, Directory
r"CWG<H7^9+?
O$ (d)) ¶ O$
¶ $$(
7Tivoli PKI =.,$I
||
|
||
||
||
|||||
3.�
��
�
&#sI& b@ GU)kHM HQ9kM
P?Ia$s Ia$s>#9Z<9OH(
^;s#
YourDomain
Ia$sN@l# Ql
Ia$s&$s9H<k&G
#l/Hj<#
AIX: /usr/lpp/iau/pkrf
/Domains
Windows NT: c:¥Program
Files¥IBM¥Trust
Authority¥pkrf¥Domains
xQ Web 5<P< 5<P<N>[[9H>^?
O IP "Il9#
RA 5<P<N04$~[9
H>
Ef=d'Zr,WH7J$
WaN listen Q]<H#
80
/i$"sH'ZJ7N;-
e" Web 5<P<
5<P<N>[[9H>^?
O IP "Il9#
RA 5<P<N04$~[9
H>
/i$"sH'ZNTWJ
SSL WaN listen Q]<
H#
443
/i$"sH'Z"jN;-
e" Web 5<P<
5<P<N>[[9H>^?
O IP "Il9#
RA 5<P<N04$~[9
H>
/i$"sH'ZN,WJ
SSL WaN listen Q]<
H#
1443
RA 5<P< RA 5<P<N listen Q]<
H#
829
3N RA G 4758 O<I&
'"rHQ7^9+?
$$( ¶ O$
¶ $$(
4758 O<I&'"rH&l
gN RSA 0N5$:#
1024 ¶ 512
¶ 768
¶ 1024
RA 0r 4758 O<I&'"
K>\]I7^9+?
$$( ¶ O$
¶ $$(
RA 4758 WmU!$kNQ
9o<I^?OQ9Ul<:
J7#
Ef3Wm;C5<I}=. &QWm;C5<N*W7g
s
$$(
Ef3Wm;C5<I}=. RA ^?O CA N"I_K
9Hl<?<&WmU!$
k&Q9o<I
J7#
=.G<?N]I =.G<?&U!$kNU!
$k># AIX ^?O
Windows NT N?>,'K
>C?>0r~O7F/@5
$#U!$kH%ROU1^
;s#
DatabaseBackup
8 P<8gs 3 jj<9 7.1
|
|||||
|||||
||||||
||
||
||||
||||
|
�� ����Tivoli Public Key Infrastructure N=.~KO"=l>lND-Kgo;F=UH&'"r;C
H"CW9k?aN5^6^J*W7gsrXj7^9#3N;/7gsNHTC/GO"
Tivoli PKI N3s]<MsHr=.9k5^6^J}!KD$Fb@7^9#^?"eG
Tivoli PKI r$s9H<k9kH-KFxQG-kh&K=.Mr]I9k}!b(7^9#
<-NHTC/,"j^9#
¶ ;CH"CW&<INBT
¶ =.G<?N$s]<H
¶ jb<H&5<P<N;CH"CW
¶ ~OKhk DN NXj
¶ DN (G#?<Khk DN NXj
¶ =.aC;<8N=(
¶ =.N!:
��������������=.r+O9k`w,G-?i"!NjgK>CF;CH"CW&<Ir+O7"BT
7F/@5$#
1. Vi&6<,"WlCHrBT9k`w,G-F$k+I&+rN'7^9#3N9FC
WOEWG9# hXJ`0K"5Z<8NXo</9F<7gsN;CH"CWYr2H
7F/@5$#
2. Tivoli PKI =.f<6<H7F (LoO cfguser) m0$s7^9#
3. "WlCHQwzZ<8,$s9H<k5lF$k Web "Il9K"/;97^9#<
-NcO"a$s Tivoli PKI 3<Ir$s9H<k7?^7seN;-e" Web 5<
P<&]<H, secure_Web_server NlgG9#
https://secure_Web_server/
4. Vi&6<&WmsWHKP7F"+Jp>Z@qru1~lk3Hr*r7^9#
¶ Netscape Vi&6<rHQ7F$klg"7,5$HZ@qru1~lkh&K%5
l^9#V!XWr+jV7/jC/7?eG"V*;Wr/jC/7FZ@qru
1~lF/@5$#%5l?lgKO"V3NZ@qrJWK (-z|B,Zlk^
G) u1~lkW*W7gsr*r9k,W,"j^9#
¶ Internet Explorer rHQ7F$klgO"Z@qN/TT,T@G"k3Hr(9a
C;<8,=(5l^9#VO$Wr/jC/7FZ@qru1~l"hKJsG/
@5$#
5. f<6<>HQ9o<I~ONWmsWH,Vi&6<+iP5lkNG"f<6<>H
7FO cfguser"Q9o<IH7FO CfgPostInstall Wm0i`N+O~KXj7?3s
Hm<k&Wm0i`NQ9o<Ir~O7^9#
6. =.Wm;9r+O9k`w,0C?i" CfgSetupWizard XNjs/r/jC/7^9#
9Tivoli PKI =.,$I
|
|
|
|
|
|
3.�
��
�
m: "WlCHr+O7F+i3N9FCW,0;9k^GKOt,rW7^9#"Wl
CH,=.G<?Y<9r04Km<I9k^GO"INU#<kIKbG<?r~
O7J$G/@5$#
Microsoft Internet Explorer rHQ9kH" Java 3s=<k (=(9kh&*r7?
lg) KsoK9$;-ejF#<c0,=(5lk3H,"j^9#3lO"
Swing UI Manager,"@&sm<ID=J"WlCH+iO"/;9G-J$WmQ
F#<&U!$krm<I7h&H9klgK88kD=-,"j^9#3Nc0O
5k7F+^$^;s#
7. MrXj7F+iV!XWr/jC/7FhKJ`3HKhCF""WlCHrJa^
9#?/Nlg"GU)kHMru1~lk3H,G-^9#
¶ VcC?Mr~O7?j",WJU#<kIKpsr~O9k0K!KJb&H7?
j9kH""WlCH,aC;<8r=(7^9#MrXj9k,W,"kNK^@
MrXj7F$J$U#<kIKO"J<Nh&Jpu,=(5l^9#
¶ ~^"F-9H,^^lF$J$NK"F-9H~OU#<kI,*r5lk3H,
"j^9#3l,88kH"=NU#<kIKF-9Hr~OG-J/Jj^9#3
Ndjrrh9kKO" Home -<r!7FF-9H&U#<kIN*ruVrr
|7^9#3lGF-9H,~OD=KJj^9#
¶ +<=k,U#<kIeK/kH""WlCHO=NU#<kIKD$FNJ1Jb
@r=(7^9#
¶ &#sI&bN9YFNU#<kIKD$FN\7$psrNj?$lgO"VXk
WWr/jC/7F/@5$#
¶ *si$s&XkW=(fK Tivoli PKI N=.KD$FN\7$psrNj?$l
gO"<-K(9VC/&"$3sr/jC/7F/@5$#9kH"\q (Tivoli
PKI =.,$I) ,+-^9#
8. =.Mr]I7?Ji"V*;Wr/jC/7F"Vi&6<rD8^9#5<P<Ka
CF"=.Wm0i` (CfgStart) r+O7^9#3NWm0i`O"5<P<=.U!$
kr977",WJG<?Y<9rn.7^9#=.Wm;9N\YKD$FO" 11Z
<8NXAIX eGN CfgStart NBTYH 11Z<8NXWindows NT eGN CfgStart N
BTYr2H7F/@5$#
9. =.Wm0i`NBTfK=(5lku7aC;<8rN'7F/@5$#$:l+N3
s]<MsHrjb<H&^7sK$s9H<k7?lgO"Wm;93TN?aK"=
Njb<H&79F`KP7F"/7gsrBT9kh&KX(9kaC;<8,=(5
l^9#
10. 79F`rHQ9k0K"79F`r!:7F]n9k?aK$/D+N=.e9FCW
rBT9k,W,"j^9#\YO"25Z<8NX=.N!:Y*hS 26Z<8NXB
0N?aN`wYr2H7F/@5$#
10 P<8gs 3 jj<9 7.1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AIX ��� CfgStart ���#t^7s_jG Tivoli PKI r$s9H<k7?lg" 12Z<8NXjb<H&5<P<N
;CH"CWYrN'7F"F^7seG,ZJgxG CfgStart rBTG-kh&K9k,
W,"j^9#
!NjgK>CF"CfgStart rBT7^9#cGOGU)kHN$s9H<k&Q9rHQ7
F$^9,"3lOB]N79F`GO[Jklg,"j^9#
1. root H7F<-N3^sIr~O7^9#
su - cfguser
2. bin 5VG#l/Hj<K\07"!N3^sIr~O7^9#
cd /usr/lpp/iau/bin
3. !NIAi+N3^sIr~O7^9#
./CfgStart (����������)
./CfgStart -i (��������������)
=.Wm;9NPOO"U!$k /usr/lpp/iau/logs/instCfg.log K]85l^9#3lO"lL
*JB079F`GN'9k,WN"kU!$kG9#
Windows NT ��� CfgStart ���Tivoli PKI r Windows NT K$s9H<k7?lg";CH"CW&<IN V0
;W \?sr/jC/7?e"j0G CfgStart Wm0i`r+O9k,W,"j^9#
#t^7s_jG Tivoli PKI r$s9H<k7?lg" 12Z<8NXjb<H&5<P<N
;CH"CWYrN'7F"F^7seG,ZJgxG CfgStart rBTG-kh&K9k,
W,"j^9#
!NjgK>CF"CfgStart rBT7^9#cGOGU)kHN$s9H<k&Q9rHQ7
F$^9,"3lOB]N79F`GO[Jklg,"j^9#
1. ,ZJQ9o<IrHQ7"cfguser H7F Windows NT Km0$s7^9#
2. MS-DOS 3^sI&&#sI&r+-^9#
3. Tivoli PKI $s9H<k&Q9N bin 5VG#l/Hj<K\07^9#crs2^9#
cd "c:¥Program Files¥IBM¥Trust Authority¥bin"
4. \Y^?O@YPOrhj~`lgO" MS-DOS 3^sI&&#sI&NWmQF#<
rQ97^9#Vl$"&HW?Vr*r7"VhLPCU!N5$:WNVb5Wr
9999 ^Gg-/7^9#
5. !NIAi+N3^sIr~O7^9#
CfgStart (����������)CfgStart -i (��������������)
CfgStart NBTf"&#sI&r57/D8ilJ$H$&dj,88klg,"j^9#3
Ndj,88?lgO"=.Wm;9,*;9k^GTCF+i"+$F$k$:l+N&#
sI&rD8^9#
11Tivoli PKI =.,$I
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
3.�
��
�
���������=.N`w7?#tN Tivoli PKI 79F`N;CH"CWnHrD=K9k?a"HQ7?
=.MO;CH"CW&<IKhCF(/9]<HD=JU!$kK]I5l^9#=
NU!$kO"LN Tivoli PKI 79F`N;CH"CWN?aNpCG<?H7F$s]<
H7FHQ9k3H,G-^9#
Tivoli PKI r#tN5<P<K$s9H<k7F"F5<P<G18=.r_j9k=jNl
gO"3N!=rhQG-^9#=.N$s]<H!=rH(P"Tivoli PKI NlP<8gs
G=.5l?{8N79F`N^$0l<7gsnHbZKJj^9#
mU:
¶ 9GK=.Q_N79F`K=.G<?r$s]<H9kH"=N79F`K{
8NG<?,K~5lF7^$^9#
¶ =.G<?r$s]<HG-kNO"18*Zl<F#s0&79F`GBT5
lk79F`KP9klg@1G9#?H(P"AIX WiCHU)<`QNM,
^^lF$k=.G<?&U!$kr"Windows NT QN Tivoli PKI N=.QK
$s]<H7FHQ9k3HOG-^;s#
=.G<?r$s]<H9kKO"!Njgr,$Ii$sH7FHQ7F/@5$#
1. Tivoli PKI r 1 DN^7sK$s9H<k7"3lr=.7^9# =.G<?r]I9
k]KXj7?G<?&U!$kN>0r-?7F*$F/@5$#
2. LN^7sK Tivoli PKI N77$$s9?s9r$s9H<k7^9#
3. h 1 N Tivoli PKI ^7s+ih 2 N^7sK"=.G<?&U!$kr3T<7^9#
¶ AIX Nlg"=.G<?&U!$k,]I5lkGU)kH&Q9O<-NH*jG
9# /usr/lpp/iau/cfg/cfgdb/
¶ Windows NT Nlg"=.G<?&U!$k,]I5lkGU)kH&Q9O<-N
H*jG9# c:¥Program Files¥IBM¥Trust Authority¥cfg¥cfgdb¥
4. 77$^7sG;CH"CW&<Ir+O7^9#GiN&#sI&G"J0N$
s9H<k+i=.G<?r$s]<H9k+I&+rXj9kh&Kaail^9#=
lrBT9k3HrXj9k?aNA'C/&\C/9r/jC/7F/@5$#
5. !N&#sI&G"3N$s9H<kGHQ9k=.G<?&U!$kr*r9kh&K
X(5l^9#3N^7sK3T<7?U!$kr*r7F/@5$#
6. ^?"77$ Tivoli PKI 5<P<r$s9H<k9kN+"=lHb=JN0NP<8g
s+iG<?r^$0l<7gs9kN+rXj7^9#
7. V!XWr/jC/7F3T9kH";CH"CW&<IO"WlCHNDjN&
#sI&K"$s]<H7?U!$k+iNpsr~l^9#
8. 3N Tivoli PKI $s9H<k&79F`QKQ(k,WN"kM@1rQ97F/@5
$#
��������������3N;/7gsGO"jb<H&5<P<r=.9k 4 DN7Jj*rb@7^9#b@9
k=.nHO"!NH*jG9#
12 P<8gs 3 jj<9 7.1
|
|
|
|
|
¶ 7Jj* 1 = RA 5<P<, 1 fN^7sKV+lF*j" CA 5<P<"F:5<
P<"Directory 5<P<Ob& 1 fNLN^7sKV+lF$klg
¶ 7Jj* 2 = RA 5<P<H Directory 5<P<, 1 fN^7sKV+lF*j" CA
5<P<HF:5<P<Ob& 1 fNLN^7sKV+lF$klg
¶ 7Jj* 3 = RA 5<P<"F:5<P<"CA 5<P<, 1 fN^7sKV+lF*
j" Directory 5<P<Ob& 1 fNLN^7sKV+lF$klg
¶ 7Jj* 4 = RA 5<P<, 1 fN^7sKV+lF*j" CA 5<P<HF:5<
P<Ob& 1 fNLN^7sK" Directory 5<P<O 3 f\N^7sKV+lF$k
lg
jb<H&5<P<r=.9kH-KO"!Njgr,$Ii$sH7F/@5$#
7Jj* 1 = RA 5<P<, 1 fN^7sKV+lF*j" CA 5<P<"F:5<P
<"Directory 5<P<Ob& 1 fNLN^7sKV+lF$klg
1. 11Z<8NXAIX eGN CfgStart NBTYKb@5lF$k}!K>$"RA 5<P<
eG Tivoli PKI N=.r+O7^9#
2. CfgStart Wm0i`+iWmsWHrP5l?i"CA 5<P<"F:5<P<"*hS
Directory 5<P<N$s9H<k5l?^7sK\07^9#
3. AIX G root H7Fm0$s7^9#
4. <-N3^sIr~O7F"G#l/Hj<rQ97^9#
cd /usr/lpp/iau/bin
5. <-N3^sIr~O7F"]9H$s9H<k&Wm0i`r+O7^9#
./CfgPostInstall -r
6. CfgPostInstall +iWmsWH,P5l?i"Tivoli PKI RA 5<P<N04$~Ia$s
>H" cfguser NQ9o<IH Tivoli PKI 3sHm<k&Wm0i`NQ9o<IrX
j7^9#5iK"<mr~O7F"WebSphere QNG<?Y<9N+?m0h}N9F
CWr9-CW7^9#
7. CfgPostInstall ,0;7?i"<-N3^sIr~O7^9#
su - cfgusercd /usr/lpp/iau/bin./CfgStart -i
CfgStart ,"Directory"F:G<?Y<9"*hS CA G<?Y<9r=.7^9#
CfgStart ,*;9kH"RA 5<P<&^7sKakh&KHNaC;<8,=(5l^
9#
8. 11Z<8NXAIX eGN CfgStart NBTYNb@K>$"FY CfgStart 3^sIrBT
7F" RA 5<P<N=.r31^9#
9. CfgStart Wm0i`+iWmsWHrP5l?i"CA 5<P<"F:5<P<"*hS
Directory 5<P<N$s9H<k5l?^7sKaj^9#
10. 11Z<8NXAIX eGN CfgStart NBTYNb@K>$"CfgStart 3^sIrBT7
F" CA 5<P<HF:5<P<N=.r31^9# CfgStart ,"F:5<P<H CA
N=.rT$^9# CfgStart ,*;9kH"RA 5<P<&^7sKakh&KHNa
C;<8,=(5l^9#
13Tivoli PKI =.,$I
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
3.�
��
�
11. 11Z<8NXAIX eGN CfgStart NBTYNb@K>$"CfgStart 3^sIrBT7
F" RA 5<P<N=.r0;7^9#
7Jj* 2 = RA 5<P<H Directory 5<P<, 1 fN^7sKV+lF*j" CA5<P<HF:5<P<Ob& 1 fNLN^7sKV+lF$klg
1. 11Z<8NXAIX eGN CfgStart NBTYKb@5lF$k}!K>$"RA 5<P<e
G Tivoli PKI N=.r+O7^9#
2. CfgStart Wm0i`+iWmsWHrP5l?i" CA 5<P<HF:5<P<N$s9
H<k5l?^7sK\07^9#
3. AIX G root H7Fm0$s7^9#
4. <-N3^sIr~O7F"G#l/Hj<rQ97^9#
cd /usr/lpp/iau/bin
5. <-N3^sIr~O7F"]9H$s9H<k&Wm0i`r+O7^9#
./CfgPostInstall -r
6. CfgPostInstall +iWmsWH,P5l?i"Tivoli PKI RA 5<P<N04$~Ia$s
>H" cfguser NQ9o<IH Tivoli PKI 3sHm<k&Wm0i`NQ9o<IrXj
7^9#5iK"<mr~O7F"WebSphere QNG<?Y<9N+?m0h}N9FC
Wr9-CW7^9#
7. CfgPostInstall ,0;7?i"<-N3^sIr~O7^9#
us - cfgusercd /us/lpp/iau/bin./CfgStart -i
CfgStart ,"F:5<P<H CA 5<P<N=.rT$^9# CfgStart ,*;9kH"
RA 5<P<&^7sKakh&KHNaC;<8,=(5l^9#
8. 11Z<8NXAIX eGN CfgStart NBTYNb@K>$"FY CfgStart 3^sIrBT
7F" RA 5<P<N=.r0;7^9#
7Jj* 3 = RA 5<P<"F:5<P<"CA 5<P<, 1 fN^7sKV+lF*
j" Directory 5<P<Ob& 1 fNLN^7sKV+lF$klg
1. 11Z<8NXAIX eGN CfgStart NBTYKb@5lF$k}!K>$"RA 5<P<e
G Tivoli PKI N=.r+O7^9#
2. CfgStart Wm0i`+iWmsWHrP5l?i" Directory 5<P<N$s9H<k5
l?^7sK\07^9#
3. AIX G root H7Fm0$s7^9#
4. <-N3^sIr~O7F"G#l/Hj<rQ97^9#
cd /usr/lpp/iau/bin
5. <-N3^sIr~O7F"]9H$s9H<k&Wm0i`r+O7^9#
./CfgPostInstall -r
14 P<8gs 3 jj<9 7.1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
6. CfgPostInstall +iWmsWH,P5l?i"Tivoli PKI RA 5<P<N04$~Ia$s
>H" cfguser NQ9o<IH Tivoli PKI 3sHm<k&Wm0i`NQ9o<IrXj
7^9#5iK"<mr~O7F"WebSphere QNG<?Y<9N+?m0h}N9FC
Wr9-CW7^9#
7. CfgPostInstall ,0;7?i"<-N3^sIr~O7^9#
su - cfgusercd /usr/lpp/iau/bin./CfgStart -i
CfgStart , Directory 5<P<N=.rT$^9# CfgStart ,*;9kH"RA 5<P
<&^7sKakh&KHNaC;<8,=(5l^9#
8. 11Z<8NXAIX eGN CfgStart NBTYNb@K>$"FY CfgStart 3^sIrBT
7F" RA 5<P<N=.r0;7^9#
7Jj* 4 = RA 5<P<, 1 fN^7sKV+lF*j" CA 5<P<HF:5<P<
Ob& 1 fNLN^7sK" Directory 5<P<O 3 f\N^7sKV+lF$klg
1. 11Z<8NXAIX eGN CfgStart NBTYKb@5lF$k}!K>$"RA 5<P<
eG Tivoli PKI N=.r+O7^9#
2. CfgStart Wm0i`+iWmsWHrP5l?i" Directory 5<P<N$s9H<k5
l?^7sK\07^9#
3. AIX G root H7Fm0$s7^9#
4. <-N3^sIr~O7F"G#l/Hj<rQ97^9#
cd /usr/lpp/iau/bin
5. <-N3^sIr~O7F"]9H$s9H<k&Wm0i`r+O7^9#
./CfgPostInstall -r
6. CfgPostInstall +iWmsWH,P5l?i"Tivoli PKI RA 5<P<N04$~Ia$s
>H" cfguser NQ9o<IH Tivoli PKI 3sHm<k&Wm0i`NQ9o<IrX
j7^9#5iK"<mr~O7F"WebSphere QNG<?Y<9N+?m0h}N9F
CWr9-CW7^9#
7. CfgPostInstall ,0;7?i"<-N3^sIr~O7^9#
su - cfgusercd /usr/lpp/iau/bin./CfgStart -i
CfgStart , Directory 5<P<N=.rT$^9# CfgStart ,*;9kH"RA 5<P
<&^7sKakh&KHNaC;<8,=(5l^9#
8. 11Z<8NXAIX eGN CfgStart NBTYNb@K>$"FY CfgStart 3^sIrBT
7F" RA 5<P<N=.r31^9#
9. CfgStart +iWmsWHrP5l?i" CA 5<P<HF:5<P<N$s9H<k5
l?^7sK\07^9#
10. AIX G root H7Fm0$s7^9#
11. <-N3^sIr~O7F"G#l/Hj<rQ97^9#
cd /usr/lpp/iau/bin
15Tivoli PKI =.,$I
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
3.�
��
�
12. <-N3^sIr~O7F"]9H$s9H<k&Wm0i`r+O7^9#
./CfgPostInstall -r
13. CfgPostInstall +iWmsWH,P5l?i"Tivoli PKI RA 5<P<N04$~Ia$s
>H" cfguser NQ9o<IH Tivoli PKI 3sHm<k&Wm0i`NQ9o<IrX
j7^9#5iK"<mr~O7F"WebSphere QNG<?Y<9N+?m0h}N9F
CWr9-CW7^9#
14. CfgPostInstall ,0;7?i"<-N3^sIr~O7^9#
su - cfgusercd /usr/lpp/iau/bin./CfgStart -i
CfgStart ,"CA 5<P<HF:5<P<N=.rT$^9# CfgStart ,*;9kH"
RA 5<P<&^7sKakh&KHNaC;<8,=(5l^9#
15. 11Z<8NXAIX eGN CfgStart NBTYNb@K>$"FY CfgStart 3^sIrBT
7F" RA 5<P<N=.r0;7^9#
��� Directory ���Tivoli PKI 79F`N$s9H<k0K IBM Directory ,8_7F$?lg" Tivoli PKI N
=.Wm;9NUm<O!Nh&KJj^9#
1. =.Wm0i`,"DirAdmin DN HQ9o<IrP$sI7h&H7^9#
¶ P$sG#s0,.y9kH"!KWm0i`O CA DN rIC7^9#
¶ P$sG#s0,:T7?lg"Wm0i`O DirAdmin DN HQ9o<IrIC7
^9#
2. Wm0i`O"root DN HQ9o<IrP$sI7h&H7^9#
¶ P$sG#s0,:T7?lg"Wm0i`Oc0KhCF(i<HJj^9#
¶ P$sG#s0,.y9kH"Wm0i`O LDAP !w (ldapsearch) rnT7F"CA
DN r57^9#
v LDAP !w,.y9kH"Wm0i`O?bTo:""/;9)fO;CH"CW
5l?H+J7^9#
v LDAP !w,:T9kH"Wm0i`O CA DN (*hS"ifkfVN<I) H"
,WJ"/;9)fpsrIC7^9#
m: +0N9-<^!:O?bBT5l^;s#
Tivoli PKI C-N9-<^H DN ,;CH"CW5lF$k{8N IBM Directory O"e-
N=.Wm;9K>$^9#7+7"{8N Directory K Tivoli PKI C-N9-<^H DN
,J$lg" Directory N=.}!Oc3[Jj^9#!N;/7gsGO"J<N@rb@
7^9#
¶ 9-<^, Tivoli PKI C-G"kbNN"DN ,=&GJ$lgK" Tivoli PKI H"H
9kh&{8N Directory r=.9k}!#
¶ 9-<^H DN , Tivoli PKI C-GJ$lgK" Tivoli PKI H"H9kh&{8N
Directory r=.9k}!#
16 P<8gs 3 jj<9 7.1
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
����� �������
57$" Tivoli PKI C-N9-<^,;CH"CW5lF$klg (Tivoli PKI N9-<^
NjAKD$FO 19Z<8NXPKI /i9XN0-NICYr2H)" Tivoli PKI =.Wm
;9O DirAdmin DN H CA DN rn.7h&H7^9#3liN DN Nn.KO"root
DN HQ9o<I,,WG9#77$ DN H,WJfVN<Irn.9kKO"root DN K
b"/;9vD,_j5lF$J1lPJj^;s#=_NH3m"DN Nn.H"/;9)
fNICO,%5lF$^;s#
9-<^, Tivoli PKI C-G"kbNN"DN ,=&GJ$lgO" Tivoli PKI H"H9k
h&{8N Directory r=.9k?aK!NjgrBT7F/@5$#
1. Tivoli PKI ;CH"CW&<I=."WlCHK"/;97" Tivoli PKI =.*W
7gsrXj7^9#
2. Directory 5<P<&*W7gsrXj9kH-KO"V{8N Directory rHQ9kW
r*r7^9#=l+i"Ge^G=.MrXj7^9#
3. =.Mr]I7?i"V*;Wr/jC/7F"Vi&6<rD8^9#
11Z<8NXAIX eGN CfgStart NBTYKb@5lF$k}!K>$"RA 5<P<e
G Tivoli PKI N=.r+O7^9#>N9YFN Tivoli PKI 3s]<MsHH18^7
sK Directory 5<P<r$s9H<k7?lg" CfgStart O=lJepsr~O9kh
&WmsWHrP93HO"j^;s#
jb<H&5<P<K Directory r$s9H<k7?lg" 12Z<8NXjb<H&5<
P<N;CH"CWYN;/7gsG"Tivoli PKI N=.r0;9k?aNX(r2H7
F/@5$#
������� DN �������
57$ Tivoli PKI C-N9-<^,;CH"CW5lF*i:"57$ DN b}?J${8
N Directory r=.9klg"!NjgK>CF/@5$#
1. Tivoli PKI N$s9H<k,0;7?i"Tivoli PKI 5<P<N3^sITr=(7^
9#
2. <-N3^sIrBT7F" Tivoli PKI $s9H<k&G#l/Hj<+i
V3.Modifiedschema.ta U!$kr Directory NljK3T<7^9#
¶ AIX Nlg:
cp /usr/lpp/iau/cfg/V3.Modifiedschema.ta yourDirectoryPath/etc
¶ Windows NT Nlg:
copy c:¥Program Files¥IBM¥Trust Authority¥cfg¥V3.Modifiedschema.tayourDirectoryPath¥etc
V3.Modifiedschema.ta U!$kKO" Tivoli PKI *V8'/H&/i9 pkiUser H
pkiCA N9-<^jA,~CF$^9#
3. Tivoli PKI $s9H<k&G#l/Hj<N V3.user.at NbFH" IBM Directory $s9
H<k&Q9N etc 5VG#l/Hj<K"k V3.user.at U!$kNbFrfS7^9#
jc@rq-1a"=lK>CF Directory 5<P<K"k V3.user.at U!$krQ97
^9#
m: U!$kr3T<9kH" Directory 5<P<N V3.user.at U!$kNbFO Tivoli
PKI U!$kGeq-5l"H%C-NG<?,Ku5lF7^$^9#
17Tivoli PKI =.,$I
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
3.�
��
�
4. Tivoli PKI $s9H<k&G#l/Hj<N V3.user.oc NbFH" IBM Directory $s9
H<k&Q9N etc 5VG#l/Hj<K"k V3.user.oc U!$kNbFrfS7^9#
jc@rq-1a"=lK>CF Directory 5<P<K"k V3.user.oc U!$krQ97
^9#
m: U!$kr3T<9kH" Directory 5<P<N V3.user.oc U!$kNbFO Tivoli
PKI U!$kGeq-5l"H%C-NG<?,Ku5lF7^$^9#
5. yourDirectorypath¥etc K"k{8N slapd.conf U!$krT87"J<NTrIC7^
9#
includeSchema /etc/V3.user.ocincludeSchema /etc/V3.user.atincludeSchema /etc/V3.Modifiedschema.tasuffix "c=us"
6. 3$F";CH"CW&<IrHQ7"Tivoli PKI =.*W7gsrXj7^9#
7. Directory 5<P<&*W7gsrXj9kH-KO"V{8N Directory rHQ9kW
r*r7^9#=l+i"Ge^G=.MrXj7^9#
8. =.Mr]I7?i"V*;Wr/jC/7F"Vi&6<rD8^9#
11Z<8NXAIX eGN CfgStart NBTYKb@5lF$k}!K>$"RA 5<P<e
G Tivoli PKI N=.r+O7^9#>N9YFN Tivoli PKI 3s]<MsHH18^7
sK Directory 5<P<r$s9H<k7?lg" CfgStart O=lJepsr~O9kh
&WmsWHrP93HO"j^;s#
jb<H&5<P<K Directory r$s9H<k7?lg" 12Z<8NXjb<H&5<
P<N;CH"CWYN;/7gsG"Tivoli PKI N=.r0;9k?aNX(r2H7
F/@5$#
PKI ������� ���IBM Directory GO"0-N!)lYk ("/;9)fNYg$) O!NH*jG9#
“critical” ,GbN!)lYkG"“normal” ,GcN!)lYkG9#
¶ critical
¶ sensitive
¶ normal
Directory N"/;9)fj9HO"0-KhCFGOJ/"!)lYkKhCFXj5l^
9#7?,CF"Directory f<6< (Directory KP$sI5lkf<6<) KO"!)lY
kKhCFI_hj"q-~_"!w"^?OfSNFC"r?(k3H,G-^9#?H(
P"IN CA N DirAdmin b"9YFN!)lYkKOCF"I_hj"q-~_"!w"
*hSfSNF"B,?(il^9#
GU)kHN Directory GO"J<N PKI 0-," critical !)lYkK09kbNH7F
k@5l^9#
¶ authorityRevocationList
¶ caCertificate
¶ certificateRevocationList
¶ crossCertificatePair
¶ deltaRevocationList
¶ userCertificate
18 P<8gs 3 jj<9 7.1
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=N>K"GU)kHN Directory GO"userPassword 0-," critical !)lYkK09k
bNH7Fk@5l^9#
lLK"PKI 0- (CK caCertificate H userCertificate) KO"I_hj)B,"j^;s#
D^j"Directory KP$sG#s09kMO/Gb (?>GP$sG#s09kf<6<b^
a)" PKI 0-rI_hk3H,G-kh&KJkH$&3HG9#GU)kHN Directory
Nlg"3lO userPassword ,I_hjD=G"k3HrU#7^9# userPassword O PKI
0-H18!)lYkK09k+iG9#
7?,CF";-e"&"/;9rG,=9k?a" Tivoli PKI O PKI 0-N!)lYkr
sensitive KJ<27" sensitive H7Fk@5lk0-K)BJ7NI_hj"/;9r?(
^9#3&7F"userPassword 0-OM3H7F critical H7Fk@5lkbNN"I_hj
,)B5lk3HKJj^9#
PKI 0-N!)lYkrQ99klgO"]9H$s9H<knH,*oC?e"=.nHK
~k0K"!NjgrBT7F/@5$#
1. %_NF-9H&(G#?<G V3.user.at U!$krT87^9#3NU!$kO"<-
NGU)kH Tivoli PKI $s9H<k&Q9K"j^9#
¶ AIX Nlg:
/usr/lpp/iau/cfg/
¶ Windows NT Nlg:
c:¥Program Files¥IBM¥Trust Authority¥cfg¥
2. P]HJk0-N ACTION CLASS NMrQ99k3HKhj"=N0-N!)lYkr
Q97^9#
3. Q9bFr]I7^9#
4. 31F"Tivoli PKI N=.rBT7^9#
PKI �!��������=TN Tivoli PKI GO"G#l/Hj<K(sHj<rn.9kH-KHQ9k*V8'/
H&/i9r*rG-^9#J0NP<8gsN Tivoli PKI GO"pkiCA H pkiUser *V8
'/H&/i9K)B5lF$^7?# pkiCA H pkiUser *V8'/H&/i9OM3H7
FHQG-^9," Directory 9-<^KjA5lF$k9YFN*V8'/H&/i9+i
*r9k3HbvD5lF$^9#J0NP<8gsN Tivoli PKI GHQ7F$?*V8'
/H&/i9rHQ7"3lK?>0-rIC9k3HK7?lg"?>0-r=liN*V
8'/H&/i9NltH7FIC9k,W,"j^9#3liN*V8'/H&/i9N9
-<^jAO"V3.modifiedschema.ta U!$kK^^lF$^9#J<K9-<^jArJ1
K(7^9#
*V8'/H&/i9
(PKIX LDAP 9-<^ V2)0-j9H
pkiUser ¶ userCertificate
¶ cn
¶ userpassword
19Tivoli PKI =.,$I
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|||||
3.�
��
�
pkiCA ¶ cACertificate
¶ certificateRevocationList
¶ authorityRevocationList
¶ crossCertificatePair
¶ cn
¶ o
¶ ou
¶ userpassword
9-<^&U!$kKC(ilkG"m&$5N?$WKO"?>0-H7FHQG-khj
b?/N0-,^^lF$^9#3NQ9r-zK9kKO"]9H$s9H<k&Wm;9
,5oK0;7?e"=.r+O9k0K"!NjgrBT7F/@5$#
1. %_NF-9H&(G#?<G V3.modifiedschema.ta U!$krT87^9#3NU!$
kO"<-NGU)kH Tivoli PKI $s9H<k&Q9K"j^9#
¶ AIX Nlg:
/usr/lpp/iau/cfg/
¶ Windows NT Nlg:
c:¥Program Files¥IBM¥Trust Authority¥cfg¥
2. *r7?*V8'/H&/i9 (pkiUser ^?O pkiCA) KF0-rIC7^9#{8NQ
?<sK3$F"Ik-f ($) GhZCFIC7^9#
9-<^&U!$kGjA5lF$k0-@1r^akh&K7F/@5$#
3. Q9bFr]I7^9#
4. 31F"Tivoli PKI N=.rBT7^9#
[Jk*V8'/H&/i9rHQ9k3HK7?lgO"+9?^$:&Wm;9NlDH
7F*V8'/H&/i9N>0rXj9k,W,"j^9#GU)kH=.GO"!N*V
8'/H&/i9rHQ7^9#
20 P<8gs 3 jj<9 7.1
|||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
*V8'/H&/i9
(PKIX LDAP 9-<^ V3)0-j9H
=$/i9
inetOrgPerson
,\0-:¶ cn
¶ sn
*W7gs0-:¶ audio
¶ businessCategory
¶ carLicense
¶ departmentNumber
¶ employeeNumber
¶ employeeType
¶ givenName
¶ homePhone
¶ homePostalAddress
¶ initials
¶ jpegPhoto
¶ labeledURI
¶ manager
¶ mobile
¶ pager
¶ photo
¶ preferredLanguage
¶ roomNumber
¶ secretary
¶ uid
¶ userCertificate
¶ userSMIMECertificate
¶ x500UniqueIdentifier
¶ inetOrgPerson NeL*V8'/H&/i9K
hj"ICN0-,w(il^9#
f<6<&(sHj<Ndu/i9
ePerson
,\0-:¶ userCertificate
¶ ePerson du*V8'/H&/i9Khj"I
CN0-,w(il^9#
'ZI(sHj<Ndu/i9
certificationAuthority-V2
,\0-:¶ authorityRevocationList
¶ caCertificate
¶ certificateRevocationList
*W7gs0-:¶ crossCertificatePair
¶ deltaRevocationList
21Tivoli PKI =.,$I
||||
|
|
|||
||||||||||||||||||||||||||||
|
|
||||
|
|
||||
||||
3.�
��
�
����� DN ���
RsH
1L> (DN) NXjnHrD=K9k?a";CH"CW&<IKO1L> (DN)
(G#?<H$&0iU#+k&f<6<&$s?<U'<9,^^lF$^9#
Tivoli PKI N DN O"~O9kNGOJ/"3ND<krHCFXj7F/@5$#
=.nHK*$FO"#tN Tivoli PKI 3s]<MsH (CA"Directory k<H"*hS
Directory I}T) KP7F=l>lG-N DN rXj9k,W,"j^9# X.509v3 ,JN
A0N DN KD$FO"23Z<8NXDN (G#?<NHQYr2H7F/@5$#
X.509v3 ,JKD$F488NlgO";CH"CW&<INfG DN r~O9k3
HbG-^9# Tivoli PKI G5]<H9k DN 0-O!NH*jG9#
(sHj< 95 M
C= 4 DN N*V8'/H,09kq#3lO ISO 3166 ,JGjA5lF
$k8zsGJ1lPJj^;s#
ST= 128 DN N*V8'/H,09kT;\)#
L= 128 DN N*V8'/H,09kj_O (T.<)#
STREET= 128 DN N*V8'/H,09kVO#
O= 64 3N DN N*V8'/H,09kH%N>N#
OU= 64 3N DN N*V8'/H,09kH%bN1L (t]>)#qRNt
pdWm@/H>JI# 1 DN DN KP7F 4 DJ<N OU 0-
rXjG-^9#
CN= 64 3N DN N*V8'/HN&L>#DMNa>dGP$9NHQ\*
JI#
DC= 64 Ia$s&3s]<MsH#1 DJeNjP1L> (RDN) +i=.
G-^9#F RDN KO(sF#F#<N$s?<MCH&Ia$s
>N3s]<MsH,^^l"GeLN3s]<MsH+igKj9
H5l^9#?H(P"$s?<MCH&Ia$s>
“CS.UCL.AC.UK” Nlg"QA7F
/DC=UK/DC=AC/DC=UCL/DC=CS H9k3H,G-^9#
DN r~O9klgKO"DN A0KD$FN<-NWor~?7F$J1lPJj^;s#
¶ *V8'/Hr1L9k?aK"-R>^?O&L>rdjvFk,W,"j^9#=N
>N0-O9YF*W7gsG9#
¶ CN ,#lN,\0-G"kHO$(" DN r CN 0-@1G=.9k3HOG-^;
s# DN O"CN 0-KC(F"LN0-b^sG$J1lPJj^;s#
¶ CN 0-OGeK~O7^9#
¶ GiN(sHj<r^a"F0-N0K9iC7e (/) rU1^9#
¶ &&KhZj-fOU1^;s#
¶ MKCl8z,^^lF$klgO"=lirsEzQd (″ ″) GO_^9#
¶ LV0-r^aklgO"/ST= /L= /STREET= NgxGXj7^9#
22 P<8gs 3 jj<9 7.1
|
|
|
|
¶ H%0-r^aklgO"/O= /OU= NgxGXj7^9#
¶ LV0-HH%0-O"=l>lNbtGNgx,iilF$kBj"~jr8CFXj
9k3HbD=G9#
Tivoli PKI G>^7$gxO!NH*jG9#
v /C=/DC=/ST=/L=/STREET=/O=/OU=/CN= (G1)
v /C=/DC=/ST=/L=/O=/OU=/STREET=/CN=
v /C=/DC=/ST=/O=/OU=/L=/STREET=/CN=
v /C=/DC=/O=/OU=/ST=/L=/STREET=/CN=
DN N~Ocr<-K(7^9#33GOG1NA0rHQ7F*j"Ia$s>O
TRUSTCA.IBM.COM G9#
/C=US/DC=COM/DC=IBM/DC=TRUSTCA/ST=MD/L=Gaithersburg/STREET=800 N. Frederick Avenue/O=IBM/OU=PKI/CN=TrustCA
Tivoli PKI , Directory rHQ9k}!KD$FO" Tivoli PKI 9?<H"CW&,$I r
2H7F/@5$#
DN "�������;CH"CW&<I+i1L> (DN) rXj9kh&KX(5l?lgKO"<-N
DN (G#?<N"$3sr/jC/7F"1L> (DN) (G#?<r+O9k3H,G-^
9#
3lO0iU#+k&f<6<&$s?<U'<9G"j" DN NINt,r^ak+
rJ1KXjG-kh&KJCF$^9# DN K^ak0-KD$FNVis/K~O7"
0-gxsNj9H+i*r7F/@5$#
DN (G#?<O"DN r#tN?VU-(j"K,d7^9#
¶ n.7F$k DN NDM"Wm0i`"^?OGP$9KD$FNlLps (DN NP
]) r^Ha?(j"
¶ DN NP]rj-9kH%KD$FNpsr^Ha?(j"
¶ DN NP]NLVKD$FNpsr^Ha?(j"
¶ DN N5^6^Jt,Ng!A0r1L9k(j"
lLps
&L> 3N DN NP]r=9-R>r~O7F/@5$#DMNlgO"Lo=N
MNa>G9#5<P<""Wj1<7gs"GP$9"^?O>N*V8'
/HNlg"=N!=d\*,,+kh&J>0rdjvFF/@5$#
q 3N DN N*V8'/H,09kqr*r7F/@5$#
Ia$s>
3N(sHj<r(9$s?<MCH&Ia$s>r~O7F/@5$#
H%ps
H%> (*W7gs) 3N DN N*V8'/H,09kH%N>Nr~O7^9#?
/Nlg"3lO"=NH%N?aK50KP?5lF$k>NG9#t]>
r^aklgO"H%>rGiKXj9k,W,"j^9#
23Tivoli PKI =.,$I
|
|
|
3.�
��
�
t]> (*W7gs) 3N DN N*V8'/H,09kH%bNt]>r~O7^
9#?H(P"\R"+&sHJINH%tg"^?O=J>JINnH+F
4j<JIG9#CjN DN r"Gb 4 DNt]KX"U1k3H,G-^
9#
LVps
T;\)
(*W7gs) DN N*V8'/H,*}*K09kT;\)rXj7^9#
3lO"P],?i+NU#N"kE}GX"U1ilF$kO}*JhhK
9k3HbG-^9#Lo3lO"DN ,j07F$kH%NLVG9#
T;\)N04J>Nr~O9k+"=lHb8`*JJ,ArH&+O"P
?N_jKhCFc$^9#?H(P"New York ^?O NY H~O7^
9#
j_O (*W7gs) DN NP],*}*KLV9kT.< (VChicagoWdVParisW
JI) rXj7^9#3lO"DN NP]KP7F?i+NU#r}DO}*
JhhK9k3HbG-^9#j_Opsr^aklgO"T;\)rGiK
Xj9k,W,"j^9#
VO (*W7gs) DN N*V8'/H,09kVOrXj7^9#Lo3lO"
DN ,j07F$kH%NVOG9#VOr^aklgO"T;\)Hj_O
rGiKXj9k,W,"j^9#
A0?$W:3N DN r@NGG-NbNH9k0-r1L7?i"0-gxsr*r9k,W,
"j^9#*W7gsr*r9kH"DN (G#?<KO"*r5l?gxGBYi
l? DN ,INh&KJk+Nc,=(5l^9#
*r9kgxsO"H%,=N=$rINh&K+F$k+"CjNI}Ia$sK
^ak=jN(sF#F#<"*hS Directory NHQH!w}!K^C?/M87
F$^9#
?H(P"H%,#tNljK*U#9r}CF$klg"H%psN0KLVps
rXj9k3H,G-^9#3N}!GO"Directory HqOCjNO}*NhK09
k(sHj<@1KBj5lk3HKJj^9#
DN (G#?<NVU)<^CHW(j" (DN NA0r=(9k) N&^<8sK"
ZjNFil?F-9H,=(5lklg,"j^9#3lO=((i<G"j"n
.5lk DN NA0=NbNKFAO"j^;s#
LV,h
3lOLVpsN4NrH%pshj0KXj9kA0G9#3lOGU)k
HNA0G"j">^7$A0G9#0-NgxO!NH*jG9#
/���/�/����/���/����/���/���
H%K3$F.>"VO
3NA0GO"DN N*V8'/HKP~9kH%psNeKVOrXj7^
9#0-NgxO!NH*jG9#
/���/�/����/���/��/���/��/���
24 P<8gs 3 jj<9 7.1
H%K3$FT.<>
3NA0GO"DN N*V8'/HKP~9kH%psNeKT.<>HVO
rXj7^9#0-NgxO!NH*jG9#
/���/�/����/��/���/���/��/���
H%K3$FT;\)>
3NA0GO"H%psNeKLVpsrXj7^9#0-NgxO!NH*
jG9#
/���/�/��/���/����/���/��/���
��#���$���-i *W7gsrXj7F CfgStart Wm0i`rBT9kH"?tN=.aC;<8,=(5
l^9#=liNaC;<8O"Wm;9NBTf"hLr9/m<k7F=(5l^9# -i
*W7gsrXj7J$G CfgStart Wm0i`rBT7?lgO"m0&U!$kr=(7
F"=.NJTrbK?<9k3H,G-^9#3Nm0&U!$kO instCfg.log H$&>
0G"$s9H<k&k<HN logs 5VG#l/Hj<K"j^9#GU)kHN Tivoli
PKI $s9H<kNlg"3NU!$kNGU)kHN$s9H<k&Q9O
/usr/lpp/iau/logs/instCfg.log G9#
�����=.Wm;9,*;7?i"79F`,57/=.5lF$k3HrN'7J1lPJj^;
s#J<NjgGO"Z@qrh@G-k3Hr 2 sN'9kh&aail^9#79F`
,GiK=.5l?H-K 1 s"79F`N7cCH@&sHFO0,04KTol?eK
1 sG9#
1. =.,0;7?i"o</9F<7gsGVi&6<r+-^9#<-N Web "Il9
K"k"P? Web 5$HK"/;9G-^9#
http://MyPublicWebServer/MyDomain/index.jsp
MyPublicWebServer Ox+ Web 5<P<N[9H>" MyDomain OP?Ia$sN>0
G9#
Vi&6<KP?wzZ<8,=(5l^9#GU)kH&$s9H<kNlg"3N>
0OVZ@q;s?<WG9#3N>0OH%KhCFc&3H,"j^9#
2. Vinstall our server’s CA certificateWXNjs/r/jC/7^9#3NZ@qKh
CFVi&6<OP?5<S9+iNL.r'Z9k3H,G-^9#-h3NVi&6
<+iFSP?5<S9K\39klgO"3N9FCWrJ,G-^9#
3. Certificate Enrollment (j"G"
a. Enrollment Type → Browser certificate r*r7^9#
b. Action → Enroll r*r7^9#
c. OK r/jC/7^9#
4. *si$sX(K>CF"P?U)<`N>}Nt,r0.5;^9#
U)<`bN Registration Information NfN Type of Certificate N*rGO"
Web Client Authentication (1 Year) r*r7F/@5$#GU)kH&$s9H<k
Nlg"3lKhCF'ZWa,+05'Wm;9hCFh}G-kh&KJj^9#
25Tivoli PKI =.,$I
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.�
��
�
5. P?G<?,0.7?i"VP?WaNw.Wr/jC/7^9#
6. *si$sG=(5lkX(K>CF"WaNu7r4Y^9#3Nu7Z<8KVC/
^</rU1F*1P"=3KaCFu7r4Yk3H,J1KJj^9#
B4N?a"WarBTMj7?eG=(5lkWa ID r-?7F*$F/@5$#P
?U)<`K*$FERa<kKhkLNru1hk3HrXj7?lg"=NWa ID
,wil^9#
7. Wa5'eKGiKu7rN'7?~@G"Z@q,+0*K@&sm<I5l"Vi&
6<K$s9H<k5l^9#5'LNNfK(5lF$k*si$sX(K>CF"5
7/$s9H<k5lF$k+I&+rN'7F/@5$#
8. Tivoli PKI 79F`I},$I Kb@5lF$kjgK>$"9YFN Tivoli PKI 3s
]<MsHrd_7^9##tN^7sK Tivoli PKI r$s9H<k7?lgO"F5
<P<&Wm0i`r57$gxGd_7^9#
9. (Windows NT N_) =l>lN&#sI&G Ctrl-C r~O7F";CH"CW&&#
6<IKX89k WebSphere Application Server H IBM HTTP Server rd_7^9#
10. Tivoli PKI 79F`I},$I Kb@5lF$kjgK>$"9YFN Tivoli PKI 3s
]<MsHr+O7^9##tN^7sK Tivoli PKI r$s9H<k7?lgO"F5
<P<&Wm0i`r57$gxGO07^9#
11. e-N9FCW (25Z<8N1 N9FCW+i9FCW 7) r+jV7"Vi&6<Z@
qrh@G-k3HrFSN'7^9#
3N 2 V\NZ@qr5oK$s9H<kG-?Ji"79F`OWaNh}r+O9k`
w,0CF$k3HKJj^9#P?Wm;9*hSf<6<,~jG-k5^6^J?$W
NZ@qKD$FO" Tivoli PKI f<6<:&,$I r2H7F/@5$#
��������77$ Tivoli PKI 79F`N$s9H<kr!:7?Ji"=N79F`N;CH"CWr
0;7"BT/D-QK=lr;-e"K9k?aK$/D+N9FCWrBT9k,W,"
j^9#
¶ ;CH"CW&<Ir;-e"K9k
¶ Directory vDrQ99k (AIX N_)
¶ 5<P<&Q9o<IrQ99k
¶ =.U!$krT89k (,WJlgN_)
¶ P?Tr'D9k
¶ 77/=.7?79F`rPC/"CW9k
¶ P?Ia$sr+9?^$:9k
¶ I}THf<6<r5i9k#!NqAr2H7F/@5$#
v Tivoli PKI P?IG9/HCW&,$I# RA Desktop K"/;97"=lrHCFZ
@qrI}9k}!KD$F-\5lF$^9#
v Tivoli PKI f<6<:&,$I#Vi&6<&Y<9NP?U)<`rHQ9k}!K
D$F-\5lF$^9#
26 P<8gs 3 jj<9 7.1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
��������������%����;CH"CW&<IrBT7F=.Mr,Q7?Ji"=N"WlCH,3N Tivoli
PKI 5<P<eGFBT5lk3H,J$h&K9k,W,"j^9#CjN Tivoli PKI 7
9F`r$C?s=.9kH"=lrF=.9k3HOG-^;s#=.Wm0i`NfKO
CjN3s]<MsHNF=.rI0?aNUi0,QU5lFO$^9,""WlCHNB
4]nN?aK5iK$/D+N9FCWrBT9k[&,h$+b7l^;s#
;CH"CW&<I,FSBT5lJ$h&K9kKO">0rQ99k+"^?OJ
1K"/;9G-J$G#l/Hj<K\07F/@5$#$s9H<kfK";CH"C
W&<IO<-NLVK$s9H<k5l^9#
¶ AIX Nlg""WlCHNGU)kH&Q9O<-NH*jG9#
/usr/lpp/iau/cfg/CfgSetupWizard.html
¶ Windows NT Nlg""WlCHNGU)kH&Q9O<-NH*jG9#
c:¥Program Files¥IBM¥Trust Authority¥cfg¥CfgSetupWizard.html
AIX �� Directory �����AIX WiCHU)<`G Tivoli PKI r=.7?lg" slapd.conf U!$kNj-"NvDr
Q99k,W,"j^9#=.NBTf"Tivoli PKI O"$/D+N Directory =.U!$k
Nj-Tr cfguser.cfggrp K_j7^9#j-Tr ldap.ldap KQ97J1lPJj^;s#
=&9kH"Directory I}TO" Directory r Tivoli PKI H&Q9kD=-N"k>N=J
,,WH9kQ9rC(k3H,G-kh&KJj^9# Directory NvDrQ99k}!
O"!NH*jG9#
1. root H7Fm0$s7^9#
2. <-N3^sIr~O7F"G#l/Hj<rQ97^9#
cd /usr/ldap/etc
3. <-N3^sIr~O7F"j-TNvDr57/_j7^9#
chown ldap.ldap slapd.conf
�����&�������Tivoli PKI N=.GO"<-NQ9o<IrXj7^9#
¶ Directory k<HN?aK 1 DNQ9o<I
¶ Directory I}TN?aK 1 DNQ9o<I
¶ CA 4758 WmU!$k (*W7gs)N?aK 1 DNQ9o<I
¶ RA 4758 WmU!$k (*W7gs) N?aK 1 DNQ9o<I
CjNI}D<krBT9kKO"3liNQ9o<IrP(F*/3H,,WG9#5i
K"79F`rB0b<IK9k0K"Q9o<IQ9f<F#jF#<rBT7FFHi9
FCI&3s]<MsH4HNQ9o<IrXj7F/@5$#79F`r;-e"K7"7
9F`XN"/;9r)f7"3s]<MsHr;-e"K+O9k?aK"3N9FCWO
EWG9#
5<P<&3s]<MsHN'ZN?aN0O"=l>lLDNEf=5l? KeyStore K]
I5l^9#3Nf<F#jF#<rGiKBT7?~@GO"=.fKXj7?Q9o<I
rXj9k,W,"j^9#
27Tivoli PKI =.,$I
|
|
|
|
|
|
|
3.�
��
�
Q9o<IQ9eO"vD5l?3s]<MsH@1, KeyStore H=NfN0*hSEf=
G<?K"/;9G-kh&KJj^9#
Q9o<IQ9f<F#jF#<NHQKD$FO"Tivoli PKI 79F`I},$I r2H
7F/@5$#
��'(� ���=.Mr]I7F=.Wm;9r+O9kH"=.Wm0i`O$/D+N=.U!$kr9
77^9#=liNU!$kKhCF"=JNF3s]<MsHNBT~N0n,)f5l^
9#
=.Wm;9fK_j7?H*jN=.MrHQ9k3H,G-^9#D=Ji=lrHQ7
F/@5$#7+7"n0D-N,Wrhjh/~?9h&K"CjNMr409k3HbG
-^9#?H(P"5<P<N?$`"&HMr407?j]<js0VVr407?jG-
^9#
Tivoli PKI =.U!$kNT8KD$F"^?Q9G-kQia<?<HQ9G-J$Qia
<?<KD$FO" Tivoli PKI 79F`I},$I r2H7F/@5$#
������Tivoli PKI O"P?WaKP9k+05'r5]<H7F$^9#I}T,WarN'7F"
=lir5'7?jq]7?jG-kh&K9kKO"=Nf<6<r Tivoli PKI P?TH
7FXj9k,W,"j^9#'D5l?P?TO"RA Desktop rBT9k3HKhCFZ
@q*hSP?WarI}9k3H,G-^9#P?nHr5]<H9k?aNP?TO"?
MGb'DG-^9#
Tivoli PKI KO"3NWm;9N?aKHQ9k3^sI&i$s&f<F#jF#<,QU
5lF$^9# add_rauser f<F#jF#<rHQ7FI}f<6<r'D9klgKO"
P?Ia$sH=Nf<6<NC"rXj7^9#?H(P""kP?TKOWaN5'Hq
]@1r'D7"LNP?TKO=lH&KZ@qNhjC7r'D9k3H,G-^9#
¶ P?TNICKD$FO"Tivoli PKI 79F`I},$I r2H7F/@5$#
¶ RA Desktop N"/;9HHQKD$FO"Tivoli PKI P?IG9/HCW&,$I r2
H7F/@5$#
Tivoli PKI �� ��������79F`rB0b<IK9k0K"9YFN5<P<&3s]<MsHH=NG<?Y<9&
j]8Hj<N=TPC/"CW,"k3HrN'7F/@5$#3lKO"!NbN,^^
l^9#
¶ a$s Tivoli PKI 5<P<#3lKO"P?I"9YFN Tivoli PKI 3"&=UH&'
"H5]<H&f<F#jF#<"=.*hSP?G<?N?aKn.5l?G<?Y<
9,^^l^9#
¶ Web 5<P<#3lKO"WebSphere "Wj1<7gs&5<P<H HTTP 5<P<,
^^l^9#
¶ Directory 5<P<#3lKO"Directory NG<?Y<9,^^l^9#
¶ CA *hSF:5<P<#3lKO CA *hSF:G<?N?aKn.5l?G<?Y<
9,^^l^9#
28 P<8gs 3 jj<9 7.1
¶ 4758 3Wm;C5< ($s9H<k5lF$F"#s$s9H<k7? Tivoli PKI GH
Q5lF$klg)#
Tivoli PKI NfG]n9k,WN"k3s]<MsHNPC/"CWKD$FO"Tivoli PKI
79F`I},$I r2H7F/@5$#
DN ����������� Directory ���BT/D-G CA N,tN0&NIa$s>rHQ7FZ@qr/T9k3H,,WJl
g" Directory rQ97F"Tivoli PKI , Directory K,trn.G-kh&K7F/@5
$#
1. IC9k,WN"k\xtr=L7^9#
2. slapd rd_7^9#
3. slapd.conf U!$krQ97"Directory K\xtrIC7^9#
4. slapd rFO07^9#
5. \xtKP~9k Directory Dj<K*V8'/HrIC7^9#
6. \xt4HK"/;9)fj9H (ACL) r$57^9#
7. raconfig.cfg U!$kN ldap_autoCreate_entries Ui0, true K_j5lF$k3HrN'
7^9#
�� LDAP ������� ACL ���Tivoli PKI O" Directory I}TNf<6< ID HQ9o<IrHQ7F Directory KP$s
I7^9#77$\xtrIC9k?SK"=N ACL K Directory I}Tr^ak,W,"
j^9#?H(P"\xtK Directory I}T,IC5l? ACL O!Nh&KJj^9#
access-id:CN=DIRADMIN,OU=TIVOLI PKI,O=YOUR ORGANIZATION,C=US:object:ad:normal:rwsc:sensitive:rwsc:critical:rwsc
1MK"?>f<6< (CN=ANYBODY) N?aN77$\xtKO"!NbN,,WG9#
group:CN=ANYBODY:normal:rsc:sensitive:rsc
normal"sensitive"*hS critical O ACL N/i9G"j" rwsc OvDlYk (I_hj"
q-~_"!w"fS) G9#
���#��������)P?Ia$sGO"Tivoli PKI KQU5lF$kP?!=rHQ9k3H,G-^9#7+
7"$/D+NP?U)<`^?OP?Wm;9rQ97F"G#8?k'ZKX9kH%N
CjN\8r?G9k3HbG-^9#?H(P"Vi&6<P?U)<`KqRNm4r=
(9k3H,G-^9#^?"CjN/i9Nf<6<"5<P<"^?OGP$9NP?r
5]<H9kh&K"Z@qWmU!$krn.^?O+9?^$:9k3HbG-^9#
Tivoli PKI r$s9H<k7F;CH"CW&<IrBT7?Ji"P?Ia$srj
A9kU!$kN?/O"B]NH3Kgo;F+9?^$:D=G9#+9?^$:nHr
9klgO"Q99k=jNU!$kNPC/"CW&3T<rn.9kh&K7F/@5
$#
!NU!$kr+9?^$:G-^9#=.f"3liNU!$kOP?Ia$sNG#l/
Hj<&Q9NfKn.5l^9#
29Tivoli PKI =.,$I
3.�
��
�
¶ etc 5VG#l/Hj<K$s9H<k5lF$k=.U!$k (U!$k&?$W .cfg
NU!$k)#?H(P"RA 5<P<^?O RA Desktop N?Q_jMr409k3H,
G-^9#
¶ etc 5VG#l/Hj<K$s9H<k5lF$k5sWkLNl?< (U!$k&?$W
.ltr)# Tivoli PKI KO"Wa,5'^?Oq]5l?3Hrf<6<KLN9k?aN5
sWk&F-9H,woCF$^9,"H+Kn.9k3HbG-^9#
¶ P?Ia$sNk<H&G#l/Hj<K$s9H<k5lF$k HTML U!$k (U
!$k&?$W .html) H Java Server Page (U!$k&?$W .jsp)"*hS webpages 5
VG#l/Hj<K$s9H<k5lF$k0iU#C/9&U!$k (U!$k&?$
W .gif)#?H(P"Vi&6<P?U)<`K=(5lkF-9Hd0iU#C/9rQ
99k3H,G-^9#^?"{8NZ@qWmU!$kr+9?^$:7?j"77$
Z@qrjA7FH%NZ@q]j7<r5]<H7?jbG-^9#
¶ bin 5VG#l/Hj<K$s9H<k5lF$k]j7<P}k<As (policy_exit)#
Tivoli PKI GO"+05'h}NcH7F3NP}k<As,QU5lF$^9#>NP
}k<Asrn.7F"P?Wm;9r>N"Wj1<7gsH}g7?j"^?OH+
NWm;9&"/7gsrFSP7?j9k3H,G-^9#
¶ S8M9&Wm;9&*V8'/H (BPO)#H+NH3WoKgo;F+9?^$:7?
BPO rn.G-^9# BPO N+/Njz-KD$FO" IBM lCIVC/ Working
with Business Process Objects for Tivoli SecureWay PKI (SG24-6043-00) r2H7F/@5
$#
P?*hS'ZNWm;9KP9kQ9H=N}!KD$FO" Tivoli PKI Customization
Guide r2H7F/@5$#
�� �����Tivoli PKI N3N$s9H<kKD$F"=.Mr,Q7F=.Wm0i`rBT7?Ji"
=lJ_K79F`rF=.9k3HOG-^;s#
CjN?Q)frQ99k?aK$/D+N=.MrT89k3HOG-^9,"0K=.7
?79F`rQ99k?aK;CH"CW&<IrFBT9k3HOG-^;s#
79F`=.eK97D=J=.Qia<?<KD$FO"Tivoli PKI 79F`I},$I
r2H7F/@5$#
Tivoli PKI � Policy Director ���Tivoli PKI H Directory r&Q7"Tivoli PKI CA ,p>7?Z@qru1~lkh&"
Tivoli Policy Director r;CH"CW9k3H,G-^9# Tivoli PKI H Policy Director ,
j_nQ7F;-e"&j=<9r&Q9kh&K;CH"CW9kjgNWsrJ<K(7
^9#
1. Tivoli PKI N$s9H<kH=.rT$"1HG57/!=9k3HrN'7^9#
m: Policy Director N`wH7F";CH"CW&<IrBT9kH-K"GU)
kHN Directory k<H DN rQ99k,W,"j^9# Policy Director GO"k<
H DN K9Z<9r^ak3H,G-^;s#
30 P<8gs 3 jj<9 7.1
|
|
|
|
|
|
|
|
|
|
|
|
|
AIX WiCHU)<`G Tivoli PKI r=.7?lg" 27Z<8NXAIX GN
Directory vDNQ9YNjgK>$^9#J<N9FCWO" Directory rHQ9k
h& Policy Director r=.9kK"?CFEWJ9FCWG9#
2. DCE N$s9H<kH=.rT$^9#1HG57/!=9k3HrN'7"<-N3^
sIr~O7F"DCE 5<S9,xQD=G"k3HrN'7^9#
dcecp -c cell ping
3. Directory 5<P<K"Policy Director ,,WH9k Directory (sHj<rn.7^9#
DN G"3s^NeK9Z<9,^^lF$J$3HrN'7^9#,\N(sHj<N
\YKD$FO"Policy Director NqAr2H7F/@5$#lL*JXKH7FO"J
<NbN,"j^9#
¶ Directory I}T]<Hr;CH"CW7"V"I_K9Hl<?<WZ<8r)Ae
2F",WJ"I_K9Hl<?<&(sHj<rn.7^9#
¶ Directory Management Console rHQ7F",WJICN(sHj<rn.7^9#
4. NetSEAT H Policy Director r$s9H<k7^9#3s]<MsH,"/F#VG"
j"L.D=G"k3H"*hS1HG57/!=9k3HrN'7^9#
IBM lCIVC/ Tivoli SecureWay Policy Director Centrally Managing e-business Security
(SG24-6008-00) O" Policy Director N$s9H<kH=.Kr)A^9#
3N~@G"Tivoli PKI H Policy Director O>}Hb"18 Directory r&-9kh&57
/=.5lF$^9#
Tivoli PKI ������� Tivoli PKI r"s$s9H<k9kKO"!NjgK>CF/@5$#?H(P"B0D-G
HQ9k=jN79F`r$s9H<k9k0K"F9H\*G_j7? Tivoli PKI NP<
8gsr"s$s9H<k9k3H,G-^9#
5]<H5lF$k5<P<&WiCHU)<`4HK"jgO=l>l[Jj^9#
AIX ��������� AIX 79F`eN Tivoli PKI 5<P<&3s]<MsHr"s$s9H<k9klgO"!
NjgrHQ7F/@5$# Tivoli PKI =UH&'"r|n9k0K"!N,$Ii$sr
N'7F/@5$#
¶ Tivoli PKI 3s]<MsHr#tN^7sK$s9H<k7?lgO"<-N9FCWr
+jV7F"F^7s4HK=UH&'"ro|9k,W,"j^9#
¶ 8_7J$Wm;9^?OG<?Y<9KX9k(i<&aC;<8ru1hC?lg
O"=lr5k7F"9/jWHr3T7F/@5$#
1. Tivoli PKI AIX 5<P<K root H7Fm0$s7^9#
2. bin 5VG#l/Hj<K\07"!N3^sIr~O7^9#
cd /usr/lpp/iau/bin
3. <-N3^sIr~O7^9#
./Uninstall_TPKI
31Tivoli PKI =.,$I
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.�
��
�
4. WmsWH,P5l?i"3sHm<k&Wm0i`NQ9o<Ir~O7^9#hLK
=(5lkX(K>$^9##t^7s=.G"s$s9H<krBT9klg"(i<
,/89kD=-,"j^9#"s$s9H<k&Wm;9XNFAOJ$NG"(i<
O5k7F/@5$#
5. "s$s9H<k,0;7?i"79F`rFO07^9#
Windows NT ��������� Windows NT 79F`eN Tivoli PKI 5<P<&3s]<MsHr"s$s9H<k9kl
gO"!NjgrHQ7F/@5$# Tivoli PKI =UH&'"r|n9k0K"!N,$I
i$srN'7F/@5$#
¶ 3s]<MsHr#tN^7sK$s9H<k7?lgO"<-N9FCWr+jV7
F"F^7s4HK=UH&'"ro|9k,W,"j^9#
¶ 8_7J$Wm;9^?OG<?Y<9KX9k(i<&aC;<8ru1hC?lg
O"=lr5k7F3T7F/@5$#3NjgOlL*Jjz-G9#79F`GB]
KBT9kWm;9O[JkD=-,"j^9#
¶ 3NjgGO"GU)kHN$s9H<k&Ii$V (c:)"GU)kHN Tivoli PKI =.
f<6<> (cfguser)"*hSGU)kHN Tivoli PKI G<?Y<9>r0sH7F$^
9#$s9H<k&79F`G[JkMrHQ7F$klgO"=lKgo;FjgKQ
9rC(F/@5$#
1. V9?<HW → VWm0i`W → VIBM SecureWay Trust AuthorityW → VTrustAuthority Nd_WNgK*r7^9#
2. 9YFN3s]<MsH,d_7?3HrN'7?i"V9?<HW → V_jW → V3
sHm<k QMkWNgK*r7^9#
3. V"Wj1<7gsNICHo|Wr@Vk/jC/7^9#
4. VIBM SecureWay Trust AuthorityWWm0i`&U)k@<r*r7"VICHo
|Wr/jC/7^9#
5. Wm0i`ro|9k+I&+rN'9kh&%5l?i"VO$Wr/jC/7^9#
6. V9?<HW → VWm0i`W → VDB2 for Windows NTW → V3^sI&&#sI
&WNgK*r7F" DB2 3^sI&&#sI&r+-^9#
7. <-N3^sIr~O7F"Tivoli PKI N$s9?s9HG<?Y<9r"s$s9H<
k7^9#
set db2instance=cfguserdb2 force application alldb2 terminatedb2 drop db adtdbdb2 drop db pkrfdbdb2 drop db ibmdbdb2 drop db cfgdbdb2stopdb2idrop cfguserrd /s c:¥cfguser
8. <-N3^sIr~O7F"Directory N$s9?s9HG<?Y<9r"s$s9H<
k7^9#3NjgO" Directory , Tivoli PKI KhCF$s9H<k*hS=.5l
?3Hr0sH7F$k3HKmU7F/@5$# Tivoli PKI r{8N Directory Kg
o;F=.7?lgO"=lK~8F9FCWr407F/@5$#
32 P<8gs 3 jj<9 7.1
|
|
|
|
|
m: Directory r"s$s9H<k9k,WO"j^;s#3lrFxQ9klgO"!
s;CH"CW&<IrBT7F Tivoli PKI r=.9kH-K"{8N
Directory rHQ9k3HrXj7F/@5$#
set db2instance=ldapInstdb2 force application alldb2 drop db ldapDBdb2stopdb2idrop ldapInstrd /s c:¥ldapInst
9. Tivoli PKI N?aK$s9H<k5l?G#l/Hj<,9YF|n5l?3HrN'7
^9#GU)kHN$s9H<k&Q9O c:¥Program Files¥IBM¥Trust Authority G9#
3NQ9NfNG#l/Hj<rj0Go|7F/@5$#
10. Windows NT r7cCH@&s7?e"FO07^9#
33Tivoli PKI =.,$I
3.�
��
�
34 P<8gs 3 jj<9 7.1
��
3N;/7gsNFHTC/O"Tivoli Public Key Infrastructure r}r7FHQ9k?aKr
)A^9# Tivoli PKI N!=KD$FNlLps"*hS Tivoli PKI 79F`N_j~K=
.9k,W,"k3s]<MsHKD$FN\Yps,-\5lF$^9#
��Tivoli PKI GO"F:5<P<O!Nh0r5]<H7^9#
¶ P?Id'ZIJINF:/i$"sH+iF:$YsHru1hj^9#
¶ ?/Nlg DB2 G<?Y<9K]I5lF$kF:m0K$YsHrq-~_^9 (m
0rG<?&U!$kH7F]I9k3HbD=)#m0KO"1 DNF:$YsH4HK
1 l3<I,^^lF$^9#
¶ F:/i$"sHG"CjNF:$YsHr^9-s0G-kh&K7^9#"koN$
YsHOoKm0K-?5l^9,"=N>N$YsHrsp7J$h&K9k?aN^
9-s0h},D=G9#3lKhCFF:m0N5$:r)f7"+,ND-K*$F
CKX8N"k$YsH@1r-?9k3H,G-^9#
¶ F:l3<I4HKaC;<8N'3<I (MAC) rW;7^9# MAC O"G<?Y<
9NbFN0g-r]Z9k?aNbNG9#?H(P""kl3<I,m0K-?5l
FJhKQ95l?N+";}ru1?N+""k$Oo|5l?N+r4Yk3H,G
-^9#
¶ F:G<?Y<9*hS"<+$VQ_F:l3<IKX9k0g-!:rBT9k?a
ND<krs!7^9#
¶ F:G<?Y<9N=_NuVr"<+$V7Fp>9kD<krs!7^9#;-ej
F#<N?aKO"j|*KF:G<?Y<9r"<+$V7F"=lrLNljK]I
9kh&K7F/@5$#5iK"G<?Y<9r"<+$V9kJi"QU)<^s9
N@GbG#9/&9Z<9ras9k@Gbx@,"j^9#
;CH"CW&<IrBT9k]KO"F:5<P<N[9H>rXj9k,W,"j
^9#^?"F:5<P<,/i$"sHWar listen 9k?aNu-]<HbXj9k,W
,"j^9#
79F`r=.7?Ji"<-NnHKX7F Tivoli PKI 79F`I},$I r4YF/@
5$#
¶ Q9o<IQ9D<krBT7F"F:"I_K9Hl<?<QNQ9o<IrQ99k
3H#3N9FCWO"F:m0XN"/;9dF:I}D<kNBTrF:5<P<@
1,T&h&K9k?aKEWG9#
4
35Tivoli PKI =.,$I
4.�
�
¶ AuditIntegrityCheck D<krBT7F"F:G<?Y<9H"<+$VQ_F:U!$k
N0g-r!:9k3H#
¶ AuditArchiveAndSign D<krBT7F=TNF:G<?Y<9=N9YFNl3<Ir
U!$kK"<+$V7"U!$kKp>9k3H#
���'ZI (CA) O"e-business NvvTj_N.jr]Z9k".jN*1kh0TNrdrL
?7^9#Z@qr/T9k3HKhCF"f<6<N1l-r]Z7^9#Z@qKO"f
<6<N1l-@1GJ/"f<6<,L.rN'*hSEf=9k?aKH&x+0b^^
lF$^9#
3Nh&J;-ejF#<&bGkGO"L.jjN.Q-O"Z@qr/T7? CA N.
j-KM87^9#Z@qN0g-r]Z9k?a"CA [email protected]@qK
G#8?kp>rU1^9#Z@qrQ97h&H9kH"p>,5zKJj"HQT=KJ
j^9#
Tivoli PKI GO"CA O!N"/F#SF#<r5]<H7^9#
¶ Z@qNG--r]Z9k?a"CA O77$Z@q4HK"^?Z@q,975lk4
HK7j"kVfr8.7^9#3N7j"kVfO"Z@qNfN1L> (DN) Nlt
H7FO]I5lJ$G-N1LVfG9#
¶ /T9kZ@qrIW9k?a"CA O/TQ_Z@qj9H (ICL) rI}7F$^9#
ICL KO"FZ@qN]n3T<K"$sGC/9H7F7j"kVfrU1?bN,]
I5l^9#?/Nlg"ICL O DB2 G<?Y<9H7Fn.5l^9#
¶ hjC5l?Z@qrIW9k?a"CA OZ@qhjC7j9H (CRL) rn.7"97
7^9#Z@qKp>9kNH18h&K7F"CA O CRL N0g-r]Z9k?a"
9YFN CRL KG#8?kp>rU1^9#
¶ G<?r~Q+i]n9k?a"CA OG<?Y<9Kq-~^lkl3<I4HKaC
;<8N'3<I (MAC) rW;7^9# MAC O"G<?Y<9fNG<?,Q95l
?jo|5l?j7?lgK=N3Hr!PG-kh&K7F"G<?Y<9N0g-r
]Z7^9#
¶ CA Np>r5iK/OK]n9k?a"CA K IBM 4758 PCI Ef3Wm;C5<rH
_go;k3H,G-^9# 4758 O"Ef0rO<I&'"*K]I9k3HKhC
F"CA Np>0rEf=*hS]n7^9#
¶ F:*hSG<?&j+Pj<r5]<H9k?a"CA Ot?/NF:P]N$YsH
N?aNF:l3<Ir8.7^9#=liNl3<IO"F:5<P<KhCF DB2
G<?Y<9K]I5l^9#
Tivoli PKI CA KD$FO"Tivoli PKI 79F`I},$I r2H7F/@5$#?H(
P"3NqAKO"CA 5<P<NBT~*W7gsN40KX9kXKd"j_'Z*hS
,X CA Hi9H&bGkrN)9kjg,\;ilF$^9#
36 P<8gs 3 jj<9 7.1
DB2 ������Tivoli PKI GO"IBM DB2 fKP<5k&G<?Y<9 (Universal Database) rHQ9k3
HKhCF"Z@qG<?"P?G<?"*hSF:m0r]I7^9#;CH"CW&&#
6<IrBT9k0K"Tivoli PKI 5<P<&3s]<MsHr$s9H<k9kF^7s4
HK DB2 =UH&'"N57$lYk,HQD=KJCF$J1lPJj^;s#
$s9H<keNWm;9NltH7F"Tivoli PKI O=.G<?Y<9rn.7F"=3K
GU)kH&G<?r~l^9#=.fKO"5<P<&3s]<MsHN?aNG<?Y<
9rn.7^9#GU)kH&G<?Y<9N>0O<-NH*jG9#
¶ cfgdb (=.G<?Y<9)
¶ ibmdb (CA G<?Y<9)
¶ pkrfdb (P?G<?Y<9)
¶ adtdb (F:G<?Y<9)
¶ ldapdb (Directory G<?Y<9"{8NbNrHQ9kNGJ$lg)
¶ krbdb (k)0NPC/"CWHj+Pj<&G<?Y<9)
jb<H&^7sK3s]<MsHr$s9H<k7?lgO"12Z<8NXjb<H&5<
P<N;CH"CWYGb@5lkjgK>CF"G<?Y<9r57/_j9k,W,"j
^9#
DirectoryTivoli PKI O"IBM Directory r"x+0Z@qQNf4j]8Hj<H7FHQ7^9#
DB2 HN}gKhj" Directory GO?/NG#l/Hj<&(sHj<r5]<H7^
9#5iK"Tivoli PKI JIN/i$"sH&"Wj1<7gs,"His6/7gsr]
I"97"*hS!wG-kh&K7^9#
Tivoli PKI K*$F"RA 5<P<O<-Npsr Directory fKQVjC7s07^9#
¶ x+0Z@q (Ef=H'ZN?aKHQ)
¶ 1L>HX"7?0- (j-TNrdHC")
¶ Z@qhjC7j9H (:z7?9YFNZ@qN7j"kVfNj9H)
¶ Z@qKp>7? CA KX9kps (=NZ@qKX"7?H3]j7<dZ@q]j7
<r^`)
Directory O"f<6<*hSj=<9rP?*hS'Z9k?aNjJrs!7^9#
Directory O"&LNG#l/Hj<&9-<^ (psN]Id Directory +iN!wKHQ9
k,') rjA7^9#9-<^Khj"G<?NlM-,/)5l^9#^?"CjNf<
6<^?Oj=<9KD$FNps,"MCHo</eN#tNLV^?OA0G]I5lJ
$h&KJj^9#
;CH"CW&<IrBT9k]KO"Tivoli PKI 3s]<MsH, Directory fNG
<?rIs@j"=NG<?r]I^?O977?jG-kh&K9k?aNpsrXj7F
*/,W,"j^9# Directory ,$s9H<k5lF$kMCHo</eGNLVKC(
F"!N3Hr}r7F$k,W,"j^9#
¶ Directory Dj<
¶ Directory k<HI}T
37Tivoli PKI =.,$I
4.�
�
¶ Directory I}T
Directory *��Directory NF(sHj<O"G-G@FJ1L>KhCF1L5lk1lN*V8'/H (D
M"H%"j=<9"^?OGP$9) r=7^9# DN KO"*V8'/HrlU*K1
L7"*V8'/HNC"rAL9kNKr)D0-N;CH,^^l^9#0-O"*V8
'/HNPHq"*V8'/H,j09kH%"*hS*V8'/HNLNrXjG-^9#
9YFN Directory (sHj<O"Directory Dj<HFPlk,X=$K@}*KT.5lF
$^9#3NDj<KO"1lNk<H*hS5tN+91<I&N<I,"j^9#FN<
IO">0(sHj<r18N<IN>N>0(sHj<+ilU*K1L9kNKr)D"
Directory (sHj<KP~7F$^9#
DN =8O"Directory 9-<^H"Directory XN"/;9rnT9k/i$"sHKhCF
)f5l^9# Tivoli PKI N DN rXj9kH-KO"G<?~OU#<kIK~O9k
+"^?O0iU#+k&f<6<&$s?<U'<9rHQ9k3H,G-^9#
¶ Tivoli PKI G,WJ=8rHQ7F DN rXj9k}!KD$FO"22Z<8NX~OK
hk DN NXjYr2H7F/@5$#
¶ 1L>(G#?<rHQ7F DN rjA9k}!KD$FO"23Z<8NXDN (G#?
<NHQYr2H7F/@5$#(G#?<rHQ9kH"(i<,/89kD=-rc
/7"DN =8KD$Fh/NiJ/FbnHG-^9#
� DNk<H DN O"Directory Dj<4Nr979k"BrU?5lF$k Directory (<8's
HG9#3lO=.Q_(sF#F#<G9,"B]KO Directory Dj<NfK8_7^;
s#
k<H DN O"Tivoli PKI K*$F Directory 5<P<KX9kp\*Jpsr4YkNK
bHQ5l^9#?H(P"k<H DN N0-+iO"Directory KD$FN<-Nh&JC
-,o+j^9#
¶ $s9H<k5lF$k Directory =UH&'"NlYk
¶ 5<P<K'15lF$k*V8'/H&/i9H0-9-<^
¶ 5<P<,5]<H7F$k`nH)f
¶ 5]<H5lF$k;-ejF#<&WmH3k
;CH"CW&<IrBT9k]KO"Directory k<HN DN HQ9o<IrXj9
k,W,"j^9# Tivoli PKI r$s9H<k9k0+i8_7F$k Directory rHQ9
klg"{8N Directory k<H DN H=NQ9o<IrXj9k,W,"j^9#
Directory ���Tivoli PKI CA O Directory K>\P$sI5lF$ko1GOJ$NG"CA KhCFp>
5lk(sHj<,]I5lF$k5VDj<rI}9k?aK" Directory I}THFPl
k(<8'sH,HQ5l^9# Directory I}TO CA C-NbNG"j"Directory Dj
<N&A CA N(sHj<&]$sH^?O=lJ<N9YFN(sHj<KP9k"B,
U?5lF$^9#3NC"KO"Directory (sHj<NIC"o|"Q9"I_hj"!
w"*hSfSrT&=O,^^lF$^9#
38 P<8gs 3 jj<9 7.1
;CH"CW&<IrBT9k]KO"Directory I}TN?aN DN HQ9o<Ir
Xj9k,W,"j^9# Tivoli PKI r$s9H<k9k0+i8_7F$k Directory r
HQ9klg"{8NDirectory I}T DN H=NQ9o<IrXj9k,W,"j^9#
PKIX CMP ��Public Key Infrastructure for X.509 P<8gs 3 8` (PKIX) O"e-business "Wj1<7g
sNj_?QrFWK9k?aNHH_rs!9k,W+i/87?bNG9#=NgJx@
O"*Zl<F#s0&WiCHU)<`d"Wj1<7gs&=UH&'"&QC1<8H
OX8J/"H%,B4KER&hzG-kh&KJkH$&3HG9#
f<6<,Z@qrh@"97"^?OhjC9?aNWarBTMj9kH"/i$"sH
O=NWarP?I (RA) Kwj^9#Z@q,/T5lkH""Wj1<7gsO=lrf
<6<N>[^?O*}9^<H&+<IK]I7^9#3lKP7F"40Z<8NXSSL
\3YNlgO"Web Vi&6<,War RA KwCF"f<6<N?aNZ@qrh@7
^9#
���#��=l>lN Tivoli PKI 79F`KO"1lNP?Ia$s,"j^9#3NIa$sO"H
%NP?*hS'ZWm;9KX"9k"H3}K"Z@q]j7<"*hSj=<9rjA
7^9#j=<9K"/;97?$f<6<O"=Nj=<9NHQrI}7F$kIa$s
KP?7J1lPJj^;s#
RA 5<P<&=UH&'",$s9H<k5lF$kJi"=NfKP?!=NHH_,^
^lF$^9# ;CH"CW&<IrBT9k]KO"Tivoli PKI N3N$s9H<
k&79F`K*$FBT9kP?Wm;9NIa$s>"Ia$sN@l"*hSIa$s
NQ9r*r7^9#
=.G<?r]I7F=.Wm;9r+O9kH"=.Wm0i`KhCFP?Ia$s,n
.5l^9#79F`O"Ia$s>rHQ9k3HKhCF"f<6<,P?!=K"/;
99k?aKHQ9k Web "Il9r8.7^9#
?H(P"x+ Web 5<P<N>0, MyPublicWebServer G"j"+,NIa$s>,
MyDomain Nlg"P?5$HK"/;99k?aKHQ9k Web "Il9O<-Nh&K
Jj^9#
http://MyPublicWebServer/MyDomain/index.jsp
3N Web "Il9K"kGU)kHN Java 5<P<&Z<8 (index.jsp) N>0OVZ@q
;s?<WG9#3lO"P?G<?r}87?j"f<6<rP?7?j"GU)kHNZ
@qWmU!$kGjA5lF$k\*r5]<H9kZ@qr/T7?j9k?aN(sH
j<&]$sHHJkbNG9#3NIa$sQKP?!=r+9?^$:9knHNltH
7F"FH%4HK3NZ<8N>0rQ97?j"P?U)<`rQ97?j9k3H,G
-^9#^?"Z@qWmU!$krIC"o|"^?OQ99k3HbG-^9#
¶ FH%GP?!=r+9?^$:9k}!KD$FO"29Z<8NXP?Ia$sN+9
?^$:Yr2H7F/@5$#
¶ FH%N]j7<r5]<H9kh&KP?Wm;9r+9?^$:9k}!KX9k\
7$psKD$FO" Tivoli PKI Customization Guide r2H7F/@5$#
39Tivoli PKI =.,$I
4.�
�
¶ H+NH3WoK>CFS8M9&Wm;9&*V8'/H (BPO) r+/*hS+9?
^$:9k?aNjz-KD$FO" IBM lCIVC/ Working with Business Process
Objects for Tivoli SecureWay PKI (SG24-6043-00) r2H7F/@5$#
SSL ��SSL (Secure Sockets Layer) WmH3kO"x+0p>"G#8?kZ@q"*hSEf=r
HQ9k3HKhCF" 2 DNL.vvTNV (?/Nlg Web 5<P<HVi&6<&
/i$"sHNV) GaC;<8Ndjhj9k?aN.j-Nb$lQND-rs!7^
9#
8`*J TCP/IP =1CH\3HfS7?lg"SSL KO<-Nh&Jx@,"j^9#
¶ Wi$P7<#/i$"sHH5<P<NVGdjhj5lk9YFNaC;<8OEf
=5l"=Nhjz-KX89k 2 TJ0,EfrrI9k3HOG-^;s#
¶ 0g-#;-e"&OC7e!=KpE/0g-!:Khj"G<?NKu,!P5l:
K*ok3H,"j^;s#
¶ 'Z-#G#8?kZ@qNr9Khj"/i$"sH&O5<P<N1l-r'ZG
-"5iKO*W7gsH7F5<P<&b/i$"sHr'ZG-^9#
¶ ]'TD#G#8?kp>KhCF9YFNL.,/.&(sF#F#<KP7FHl<
95lk?a",WK~8FU$=O,Z@D=KJj^9#
Tivoli PKI 79F`K*$FO"'ZNlYk4HK"=lrh}9k=l>lLDN]<H
,8_7^9# ;CH"CW&<IrBT9k]KO"5<P<N'Zr,WH9k
SSL \3rh}9k?aN;-e"&]<Hr 1 DXj7^9#^?"5<P<H/i$"
sHN>TN'Zr,WH9k SSL \3rh}9k?aNh 2 N;-e"&]<HrXj
7^9#
P?!=KO"f<6<, SSL WarwC?j SSL P~N"Wj1<7gsGHQ9kZ
@qrh@7?j9k?aNl"NVi&6<P?U)<`,^^lF$^9#?H(P""
kf<6<,Z@qN97WarBTMj9kH"=Nf<6<N Web Vi&6<,=NW
arP?I (RA) Kwj^9#77$Z@q,/T5lkH"RA O=lrf<6<NVi&
6<K]I7^9#3lKP7F"39Z<8NXPKIX CMP \3YNlgO"/i$"s
H&"Wj1<7gs,WarwCF"f<6<N?aNZ@qrh@7^9
Vi&6<P?U)<`rHQ7FZ@qrh@"97"*hShjC93HKD$FO"
Tivoli PKI f<6<:&,$I r2H7F/@5$#3NqAGO"GU)kHNZ@q&
WmU!$krHQ9k3HKhCFh@G-kZ@qNo`"^?Z@qNFo`4HNQ
SKD$Fb@5lF$^9#
Web ����Tivoli PKI GO"/i$"sHWaNh}N?aN 3 DN>[5<P<H 3 DN]<HKp
E/bGkrHQ7F$^9#79F`=.nHNltH7F"IBM HTTP Server $s9H
<k~K=.7?[9H>H]<HrXj7^9#
x+ Web 5<P<O"HTTP WmH3kH 1 DN]<HrHQ9k3HKhCF"SSL J
0NWarh}7^9#=liNWaGO"Ef=b'ZbTWG9#
40 P<8gs 3 jj<9 7.1
|
|
|
2 DN;-e" Web 5<P<O"HTTPS WmH3krH&3HKhCF"SSL Warh}
7^9#!)-r]Z9k?aK"/i$"sHH;-e"&5<P<VN9YFNL.OE
f=5lF$^9#5iK"SSL \3KC-Nx+0EfKhj"5<P<r;C7gs+
O~K'Z9k3H,G-^9# Tivoli PKI 79F`K*$FO";C7gs+O~K/i
$"sHr'Z9k?aN;-e"&5<P<&]<HN 1 Dr=.7^9#
3N"<-F/Ac<HGU)kHN]<HMKD$F"<-N=K(7^9#FH%GNU
!$"&)<kN;CH"CW}!KhCFO"2 o`N;-e"Warh}9kNK18]
<HVf (?H(P 443) rH&,W,"k+b7l^;s#=NlgKO"5^6^J Web
5<P<&Wm;9N?aK IP L>r_j9k3HKD$F" Tivoli PKI 9?<H"C
W&,$I r2H7F/@5$#=liNL>*hS]<HO",: Tivoli PKI ;CH"C
W&<INBT0KjA7F*$F/@5$#
WmH3k SSL 5<P<'Z /i$"sH'Z ]<HVf
HTTP J7 J7 J7 80
HTTPS "j "j J7 443
HTTPS "j "j "j 1443
4758 +�,����*W7gsGO"j^9,"CA H RA Np>0N;-ejF#<rGbK9kKO"D=
JBj IBM 4758 PCI Ef3Wm;C5<rHQ9kh&K7F/@5$#
4758 3Wm;C5<N$s9H<kNltH7F"=.Wm0i`O^9?<0r8.7
F"=lrO<I&'"K]I7^9# Tivoli PKI 79F`GO"3Wm;C5<O3N^
9?<0H RSA "k4j:`rHCF" CA ^?O RA Np>0r 3 EKEf=G-^
9#3N9FCWKhj"CA ^?O RA Np>rm1K5i7?j"|f7?j9kn_
KP7F";-ejF#<,5iK/=5l^9#
4758 3Wm;C5<rHQ9klgKO" Tivoli PKI CA ^?O RA r$s9H<k9k
^7seK=lr$s9H<k9k,W,"j^9# ;CH"CW&<IrBT9k
]KO" CA ,=Np>0r]n9k?aK=N3Wm;C5<rHQ9k+I&+rXj
7^9#
?/N Tivoli PKI 79F`K*$F"CA N0^?O RA N0O"*}*K3Wm;C5<
NfK^9?<0H&K]I5lk3HO"j^;s#7+7"=.*W7gsKhCF3N
GU)kHrXjQ99k3H,G-^9 (3lO+ailF$^;s)# CA N0^?O
RA N0rO<I&'"K]I9klg"<-Nm1-rM87F/@5$#
¶ 4758 3Wm;C5<NPC/"CWK*$FO"=N^9?<0@1,PC/"CW5
l"O<I&'"&+<IeK]I5lF$k=N>N0OPC/"CW5l^;s#7
?,CF"+<I,ul?j"=N>NO<I&'"c2,/87?lgKO"CA ^?O RA Np>0,:olk3HKJj^9#
¶ CA ^?O RA N0,C:^?Om1KJC?lgO"CA rWG7F"77$0G/0
9k,W,"j^9# CA ^?O RA rHQG-J$lg"=N CA ^?O RA ,p
>7?Z@qrj-9kf<6<O"=NEv-r!:9kjJ,J$?aK=NZ@q
rHQ9k3H,G-J/Jj^9#
41Tivoli PKI =.,$I
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
4.�
�
¶ CA ^?O RA N5N0Gp>5l?Z@qO5zKJk?a"CA ^?O RA rFN
)7?e"77$ CA ^?O RA 0Gp>7?Z@qr/T9k,W,"j^9#
4758 3Wm;C5<NhjU1"=."*hS#=N\YKD$FO"J<N Web "Il
9+i"/;9G-k 4758 =JNqAr2H7F/@5$#
http://www.ibm.com/security/cryptocards/
42 P<8gs 3 jj<9 7.1
|
|
|
|
|
�'(���
3N;/7gsNFHTC/GO"Tivoli PKI ;CH"CW&<IrBT9k]KXj
G-kMrb@7^9#FHTC/GO""WlCHND9N&#sI&rb@7^9#
GeN 2 DNHTC/GO""WlCHNlLpsrb@7^9#
¶ 53Z<8NX^&9&"/7gsKP~9k-<\<I`nY GO""WlCHrJS2
<H9k?aNLN}!rb@7^9#
¶ 54Z<8NXFqlKX9kM8v`Y GO"QlJ0N@lG"WlCHrBT9k?
aNRsHrb@7^9#
��-����;CH"CW&<IrGiK+O9kH"Tivoli PKI a$s&=UH&'",$s9H
<k5lF$k5<P<N[9H>,(5l^9#LN5<P<r=.9klgO"V*;W
r/jC/7F;CH"CW&<Ir*;7F/@5$#=.N0;0K;CH"C
W&<Ir*;9kH"G<?O]I5l^;s#
EW!9GK=.Q_N^7sG;CH"CW&<IrBT9kH"{8NG<?,9
YFK~5lF7^$^9#{8N79F`rF=.7?j"J0K=.5l?79F
`K=.G<?r$s]<H7?j9k3HOG-^;s#
{8N=.+iNG<?N$s]<H
3N*W7gsO"!NlgKN_*r7F/@5$#
¶ Tivoli PKI 79F`rJ0K$s9H<k7F=.7?lg
¶ 3N79F`r=.9k?aNpC=.G<?H7F"{8N=.G<?rHQ
7?$lg
¶ 3N77$79F`r"0N79F`H18*Zl<F#s0&79F`&Wi
CHU)<`K$s9H<k9klg
Tivoli PKI r#tN5<P<K$s9H<k7F"F5<P<G18=.r_j9k
=jNlgO"3N!=rhQG-^9#
3NA'C/&\C/9rA'C/9kH"$s]<H9k=.G<?r^`U!$
kN>0r*r9kh&aakWmsWH,P5l^9#
5
43Tivoli PKI =.,$I
|
5.�'(���
����-����{8N=.+iG<?r$s]<H9k3HrXj7?lgO"$s]<H9k=.G<?K
D$FN*W7gsrXj9k,W,"j^9#
=.G<?
3Nj9H&\C/9KO"Tivoli PKI N3lJ0N$s9H<kK*$F]I5
l" 3N^7sK3T<5l?9YFN=.G<?&U!$kNj9H,=(5l^
9#j9Hr9/m<k7F"#sN$s9H<kK,Q9k=.Mr^`U!$k
r*r7F/@5$#
;CH"CW&<IO"$s]<H5l?Mr=TN"WlCH&;C7gs
K3T<7^9#"WlCHN=NeNh}K*$F"=(5lF$kMr=N^^
NQ7?j"3N Tivoli PKI 79F`KO,5J$M@1rQ97?j9k3H,G
-^9#
77$$s9H<k+^$0l<7gs+
¶ 77$ Tivoli PKI 79F`r=.9klgO"V7,Wr/jC/7F/@5
$#
=.Wm0i`Khj"Tivoli PKI N7,$s9?s9NG<?r]}9k=.
G<?Y<9,7,n.5l^9#
¶ =.G<?r^$0l<7gs9klgO"V\TWr/jC/7F/@5$#
?H(P"Tivoli PKI NlP<8gs+iNG<?r^$0l<7gs9klg
K3N*W7gsr*r7^9#
=.Wm0i`Khj{8N=.G<?Y<9,3T<5l"#s$s9H<k
9k Tivoli PKI GHQG-kh&KJj^9#
CA ����������-����>N Tivoli PKI 3s]<MsH, Tivoli PKI 'ZI (CA) *hSF:5V79F`HL.G
-kh&K9k*W7gsrXj9k,W,"j^9#
Tivoli PKI N CA H F:5<P<&Wm0i`O"18^7sK8_7F$J1lPJj^
;s#FH%4HN=UH&'"N$s9H<k}!K~8F"=NLVOP?I (RA) ^?
O Directory 5<P<H18^7sNlgHc&^7sNlgN>},D=G9#
[9H>^?O IP "Il9CA HF:5<P<&Wm0i`,$s9H<k5lF$k^7sN04$~[9H
>r~O7F/@5$#;$>0^?OL>O~OG-^;s7"IP "Il9b~O
G-^;s#
3lO"MCHo</4HN TCP/IP Ia$s&M<`&79F` (DNS) K*$
F"3N5<P<N?aK=.5lF$k[9H>G9#GU)kHMOP?I5<
P<N[9H>G9#
CA 5<P<N]<HVf
Tivoli PKI CA ,War listen 9ku-]<HrXj7^9#GU)kHMO 1830G9#
F:5<P<N]<HVf
Tivoli PKI F:5V79F`,War listen 9ku-]<HrXj7^9#GU)k
HMO 59998 G9#
44 P<8gs 3 jj<9 7.1
CA N DN3N1L>O"DirectoryNfG CA r1L9kbNG"j"3lKhCFf<6<O
/T5l?Z@qKp>7? CA ,Il+rFWKNk3H,G-^9#GU)kH
MO /C=US/O=H%/OU=Trust Authority/CN=Trust Authority CA G9#
X.509v3 DN NA0KD$Fh/}r7F$klgO"Tivoli PKI CA NG-N DN
r~O9k3H,G-^9# Tivoli PKI G,WJA0G DN rXj9k}!KD$
FO"22Z<8NX~OKhk DN NXjYr2H7F/@5$#
G-N DN NXjnHrFWK7F"Vc$ND=-r/J/9kKO"DN
(G#?<N"$3sr/jC/7F/@5$#3ND<krHQ7F DN rn.9
k3HKD$FO"23Z<8NXDN (G#?<NHQYr2H7F/@5$#
CA �-����Ef="k4j:`H CA Nk)p>0N05$:rXj9k,W,"j^9# IBM 4758
PCI Ef3Wm;C5<,$s9H<k5lF$klgO"0N]nN?aKEf=O<I&
'"rHQ9k3Hr CA r_j9k3HbG-^9#
Z@qKp>9k?aN"k4j:`
Tivoli PKI CA NG#8?kp>KHQ9kEf="k4j:`r*r7F/@5
$# CA Np>O"CA KhCFp>5l?Z@q*hSZ@qhjC7j9H
(CRL) N'Z-H]4-r]Z7^9#
J<N$:l+r*r7F/@5$#
sha-1WithRSAEncryptionDigital Signature Algorithm (DSA) EMGjA5l?70KAc<W;KP7
F" Secure Hash Algorithm (SHA-1) KpE/OC7eXtr,Q9k3HK
hCF"70KAc<r8.7^9#
md5WithRSAEncryptionRSA ,JKhCFjA5lF$k70KAc<W;KP7F MD5 aC;<
8&@$8'9HXtr,Q9k3HKhCF"70KAc<r8.7^9#
Z@qN0N5$:
CA NG#8?kp>N;-ejF#<b"0N5$:rhakWxHJj^9#l
LK"0N5$:,UW;rI0NK=,Jg-5G"kH-K"p>"k4j:`
O;-e"G"kH+J5l^9#0N5$:,g-$[I;-ejF#<O/=5
l^9,";-e"&;C7gsNN)~Kp>r!Z9k?aK,WJ~Vb9/
Jj^9#
3N=JN3NP<8gsGO"1024 r*r7F/@5$#
Ef=O<I&'"NHQ
3N*W7gsO"!NlgKN_*r7F/@5$#
¶ Tivoli PKI r IBM AIX WiCHU)<`K$s9H<k7?
¶ 4758 Ef3Wm;C5<r Tivoli PKI CA *hSF:5<P<&^7sKv0
K$s9H<k7?
¶ 4758 3Wm;C5<rHQ7F CA N0r]n7?$
45Tivoli PKI =.,$I
|
|
|
|
|
|
|
|
|
|
|
|
|
5.�'(���
4758 3Wm;C5<rHQ7F$J$lg"CA N0OEf=5l";-e"
KeyStore K]I5l^9#7+7"4758 3Wm;C5<rHQ9kH"H+N^9
?<&-<rHQ7F CA Np>0,Ef=5lkNG"O<I&'"]n,H%5
l^9#
RSA 05$:
EfO<I&'"NHQrXj9kH"4758 3Wm;C5<O+0*K RSA "k4
j:`rHQ7F"CA Np>0rEf=7^9#W;XN~OH7FHQ5lk0
5$:r*r7J1lPJj^;s#0N5$:,g-$[I;-ejF#<O/=
5l^9,";-e"&His6/7gsr!Z9kNK,WJ~Vb9/Jj^
9#
J<NMN$:l+r*r7F/@5$#GU)kHMO 1024 G9#
¶ 512
¶ 768
¶ 1024
p>0rO<I&'"K]I9k
EfO<I&'"NHQrXj7?lgO"CA Np>0rO<I&'"K*}*K
]I9k+I&+r*r9k3H,G-^9#
GU)kHMO V$$(W G9#
EW!4758 3Wm;C5<NPC/"CWK*$FO"=N^9?<&-<@1,P
C/"CW5l^9#=NO<I&'",ul?lg"CA N0r:&3HKJ
CF7^$^9#3N;:rrh9kKO"77$0rHQ7F CA r)Ae
2"77/p>5l?Z@qr{8NZ@q[k@<KF/T9k,W,"j^
9#
VO$WO"X89km1r}r7F$klgKN_*r7F/@5$#m1-H$
5"/7gsKD$FO"41Z<8NX4758 3Wm;C5<Yr2H7F/@5$#
CA 4758 WmU!$k&Q9o<I^?OQ9Ul<:
4758 N?aNQ9o<I^?OQ9Ul<:r~O7F/@5$#
Q9o<I^?OQ9Ul<:N95O$UG9#;-ejF#<rG,=9k?
a"=BN1lr=98zsOXj7J$G/@5$#^?".8zHg8zrH_
go;FHQ7"/J/Hb 1 DNtzr^akHh$G7g&#
Directory �����-����Tivoli PKI , IBM Directory 5<P<HL.9k?aK,WJ*W7gsrXj7F/@5
$#?H(P"RA 5<P<O"DirectoryNfKZ@q*hSZ@qhjC7j9H (CRL)
r/T7^9#Z@qNEv-r4Yk?a""Wj1<7gsO Directory fNpsrI`
,W,"j^9#
46 P<8gs 3 jj<9 7.1
|
|
|
|
|
[9H>^?O IP "Il9Directory 5<P<N=UH&'",$s9H<k5lF$k^7sN04$~[9H
>r~O7F/@5$#;$>0^?OL>O~OG-^;s7"IP "Il9b~O
G-^;s#
3lO"MCHo</4HN TCP/IP Ia$s&M<`&79F` (DNS) K*$
F"3N5<P<N?aK=.5lF$k[9H>G9#>N"Wj1<7gsGH
Q9k Directory 5<P<+"Tivoli PKI lQK_j7? Directory 5<P<rXj
9k3H,G-^9#GU)kHMOP?I5<P<N[9H>G9#
Directory N]<HVf
Directory 5<P<,War listen 9ku-]<HrXj7^9#GU)kHMO
389 G9#
{8N Directory rHQ
GU)kHGO3NA'C/&\C/9O*UG"j"Tivoli PKI GHQ9k
Directory G<?Y<9r7?Kn.9k3HKJCF$^9#
3NA'C/&\C/9rA'C/9kNO"=lJ0K Directory r9GK$s9
H<k7F$F"Tivoli PKI Npsr]I9k?aK=lrHQ7?$lg@1K7
F/@5$#
Tivoli PKI r{8N Directory H;Q9kWhNlgO"16Z<8NX{8N
Directory NHQYr2H7F/@5$#
Directory 9-<^NP<8gs 3 rHQ
GU)kHGO3NA'C/&\C/9O*sG9# RFC 2256 KjA5lF$k
Directory 9-<^&P<8gs 3 r Tivoli PKI H;Q9k3Hr(7^9# RFC
2587 KjA5lF$k"{8N PKIX LDAP 9-<^&P<8gs 2 bM3H7F
5]<H5lF$^9#
3NA'C/&\C/9r/j"9kNO"RFC 2587 KjA5lF$k PKIX
LDAP 9-<^&P<8gs 2 rHQ9klg@1K7F/@5$#
Tivoli PKI r{8N Directory H;Q9kWhNlgO"16Z<8NX{8N
Directory NHQYr2H7F/@5$#
Directory ��-����Directory k<HN1L> (DN) HQ9o<IrXj9k,W,"j^9#k<HO"
Directory Dj<4Nr979k"BrU?5lF$k Directory (<8'sHG9#=lO^
?"Tivoli PKI , Directory 5<P<N5]<H9kWmH3k*hS8`,JKD$FNp
srh@9kNKbHQ5l^9#
m: Tivoli PKI r$s9H<k9k0+i Directory 5<P<,"klg"=lKP9k
Directory k<H,9GK=.5lF$k+b7l^;s#=NlgO"{8Nk<H DN
HQ9o<IrXj7F/@5$#
k<H DNX.509v3 DN NA0KD$Fh/}r7F$klgO"Directory k<HNG-N DN
r~O9k3H,G-^9#GU)kHMO
/C=US/O=Your Organization/OU=Trust Authority/CN=Ldap Root DN G9#
47Tivoli PKI =.,$I
|
|
|
|
|
|
|
|
|
5.�'(���
Tivoli PKI G,WJA0G DN rXj9k}!KD$FO"22Z<8NX~OKhk
DN NXjYr2H7F/@5$#
k<H&Q9o<I
Directory Nk<HN?aNQ9o<Ir~O7F/@5$#
Q9o<IO 8 8z (P$H) GJ1lPJj^;s#;-ejF#<rG,=9k
?a"=BN1lr=98zsOXj7J$G/@5$#^?".8zHg8zrH
_go;FHQ7"/J/Hb 1 DNtzr^akHh$G7g&#
{8Nk<H DN N?aNQ9o<IrXj9klg"Tivoli PKI ,Ev-!:9k
NOGiN 8 8z@1G9#
k<H&Q9o<INN'
18Q9o<IrFS~O7F/@5$#
g8zH.8zrH_go;?Q9o<IrXj7?lgO"188zr~O7F/
@5$#
Directory ����-����Directory I}TN1L> (DN) HQ9o<IrXj9k,W,"j^9#3N(<8'sH
O"Directory fN CA N5VDj<bN(sHj<rn.*hSI}7^9# CA 5<P<
*hS RA 5<P<H&K"Z@qdZ@qhjC7j9HKD$FNpsrQVjC7s
07^9#
m: Tivoli PKI r$s9H<k9k0+i Directory 5<P<,"klg"=lKP9k
Directory I}T,9GK=.5lF$k+b7l^;s#=NlgO"{8N DN HQ
9o<IrXj7F/@5$#
Directory I}T DNX.509v3 DN NA0KD$Fh/}r7F$klgO"Tivoli PKI Directory I}TN
G-N DN r~O9k3H,G-^9#GU)kHMO
/C=US/O=Your Organization/OU=Trust Authority/CN=DirAdmin G9#
Tivoli PKI G,WJA0G DN rXj9k}!KD$FO"22Z<8NX~OKhk
DN NXjYr2H7F/@5$#
G-N DN NXjnHrFWK7F"Vc$ND=-r/J/9kKO"DN
(G#?<N"$3sr/jC/7F/@5$#3ND<krHQ7F DN rn.9
k3HKD$FO"23Z<8NXDN (G#?<NHQYr2H7F/@5$#
Directory I}TNQ9o<I
Directory I}TN?aNQ9o<Ir~O7F/@5$#
Q9o<IO 8 8z (P$H) GJ1lPJj^;s#;-ejF#<rG,=9k
?a"=BN1lr=98zsOXj7J$G/@5$#^?".8zHg8zrH
_go;FHQ7"/J/Hb 1 DNtzr^akHh$G7g&#
{8NDirectory I}TN?aNQ9o<IrXj9klg"Tivoli PKI ,Ev-!:
9kNOGiN 8 8z@1G9#
Directory I}TNQ9o<INN'
18Q9o<IrFS~O7F/@5$#
48 P<8gs 3 jj<9 7.1
g8zH.8zrH_go;?Q9o<IrXj7?lgO"188zr~O7F/
@5$#
Directory I}T, Directory r97G-kh&K9k
Directory I}TKO"Directory fN(sHj<rIC"o|"*hSQ99k?a
N97C",,WG9#
GU)kHGO3NA'C/&\C/9OA'C/5lF$^9#D^j"Directory
I}TO Directory fN CA N5VDj<r97G-^9#LoO"3N*W7gs
rHQD=N^^K7F*/,W,"j^9#
���#���-����#s$s9H<k9k Tivoli PKI NP?Ia$sKD$FNpsrXj9k,W,"j^
9#P?Ia$sO"P?!=NjjN$s9?s9KC-NH3}K"Z@q]j7<"*
hSj=<9rjA7^9#
P?Ia$s>
P?Ia$sr1L9k>0r~O7^9#GU)kHMO YourDomain G9#3
N>0rQ97F"H%bGU#N"k>0"^?OP?!=NQSr(9>0K9
k,W,"j^9#
Ia$s>O"*Zl<F#s0&79F` (AIX ^?O Windows NT) NG#l/
Hj<?>WoK`r7F$J1lPJj^;s#CK"HQ9k>0rhj9kH
-KO"J<N,'K>&,W,"j^9#
¶ >0O-zJ URL 9Hjs0GJ1lPJiJ$#
¶ >0O 128 8zr6(FOJiJ$#
¶ >0K9Z<9^?O?Vr^ak3HOG-J$#
¶ >0KJ<NCl8zr^ak3HOG-J$#PC/9iC7e^?O_-f
(\ ^?O ¥)"9iC7e (/)"3ms (:)""9?j9/ (*)"?dd (?)"zQd
(″)"TyfgL (< >)"b>P< (|)"]sI-f (#)"Ik-f ($)"^?O"
]9HmU# (’)#
P?Ia$s@l
3NP?Ia$sQN@lr*r7F/@5$#
f<6<,'ZWarBTMj9klg"^?OI}T, RA Desktop K"/;99
klg"33G*r7?@lKhjG<?,s!5l"]I5l^9#GU)kHM
O English (Ql) G9#
J<NMN$:l+r*r7F/@5$#
¶ Ql
¶ Uis9l
¶ I$Dl
¶ $?j"l
¶ 9Z$sl
¶ Vi8k&]kH,kl
¶ |\l
¶ Zql
¶ fql (JNz)
¶ fql (KNz)
49Tivoli PKI =.,$I
5.�'(���
k<H&$s9H<k&G#l/Hj<
RA 5<P<eNP?Ia$sNLVr~O7^9#04$~Q9rXj7F/@5
$#
=.fK79F`O"3NLVKP?Ia$sr;CH"CW7^9#P?!=N+
9?^$:K*$FO"3NIa$sK"kU!$kr+9?^$:7^9#3lK
hj"3NIa$srP]H7?P?"/F#SF#<O"=N?aKjA9k]j
7<KhCFI}5lk3HKJj^9#
¶ AIX Nlg"Ia$s&Q9NGU)kHMO /usr/lpp/iau/pkrf/Domains G9#
¶ Windows NT Nlg"Ia$s&Q9NGU)kHMO
c:¥Program Files¥IBM¥Trust Authority¥pkrf¥Domains G9#
�� Web �����-����Tivoli PKI N3s]<MsH,x+ Web 5<P<HL.G-kh&K9k?aN*W7gs
rXj7F/@5$#3N5<P<O"Ef=d'Zr,WH7J$Warh}7^9#
x+5<P<N[9H>^?O IP "Il9xNWarh}9kh&K;CH"CW5lF$k5<P<N04$~[9H>r~
O7^9#;$>0^?OL>O~OG-^;s7"IP "Il9b~OG-^;s#
IBM HTTP Server =UH&'"N$s9H<k~K"SSL J0NWarh}9k5
<P<&Wm0i`N>[[9H>r=.7F$J1lPJj^;s#GU)kHM
OP?I5<P<N[9H>G9#
x+5<P<N]<HVf
x+ Web 5<P<,War listen 9ku-]<HrXj7^9#GU)kHMO
80 G9#
��%� Web �����-����Tivoli PKI N3s]<MsH,;-e" Web 5<P<HL.G-kh&K9k?aN*W7
gsrXj7F/@5$#=liN5<P<O"Ef=*hS5<P<'Zr,WH9k
SSL \3rh}7^9#/i$"sH'Zb,WJWarh}9k?aK"1 DN;-e
"&5<P<r=.9k,W,"j^9#
¶ /i$"sH'Zr,WH7J$Warh}9k;-e"&5<P<r=.9klg:
[9H>^?O IP "Il9=liN?$WNWarh}9kh&K;CH"CW5lF$k5<P<N04
$~[9H>r~O7^9#;$>0^?OL>O~OG-^;s7"IP "Il
9b~OG-^;s#
IBM HTTP Server =UH&'"N$s9H<k~K"/i$"sH'ZTWNW
arh}9k5<P<&Wm0i`N>[[9H>r=.7F$J1lPJj^
;s#GU)kHMOP?I5<P<N[9H>G9#
]<HVf
Ef=H5<P<'ZO,W@,/i$"sH'ZOTWG"k SSL War;-
e" Web 5<P<, listen 9k?aNu-]<HrXj7^9#GU)kHM
O 443 G9#
50 P<8gs 3 jj<9 7.1
¶ /i$"sH'Zr,WH9kWarh}9k;-e"&5<P<r=.9klg:
[9H>^?O IP "Il9=liN?$WNWarh}9kh&K;CH"CW5lF$k5<P<N04
$~[9H>r~O7^9#;$>0^?OL>O~OG-^;s7"IP "Il
9b~OG-^;s#
IBM HTTP Server =UH&'"N$s9H<k~K"/i$"sH'Z5l?W
arh}9k5<P<&Wm0i`N>[[9H>r=.7F$J1lPJj^
;s#GU)kHMOP?I5<P<Nm<+k&[9H>G9#
]<HVf
Ef="5<P<'Z"=7F/i$"sH'Zr,WH9k SSL War;-e
" Web 5<P<, listen 9k?aNu-]<HrXj7^9#GU)kHMO
1443 G9#
RA -����RA NdQp>0N0N5$:rXj9k,W,"j^9# IBM 4758 PCI Ef3Wm;C
5<,$s9H<k5lF$klgO"0N]nN?aKEf=O<I&'"rHQ9kh&
K RA r_j9k3HbG-^9#
/i$"sHWaN?aN]<HVf
RA , PKIX CMP War listen 9k?aKHQ9k"HQD=J]<Hr(7^
9#GU)kHMO 829 G9#
Ef=O<I&'"NHQ
3N*W7gsO"!NlgKN_*r7F/@5$#
¶ Tivoli PKI r IBM AIX WiCHU)<`K$s9H<k7?
¶ 4758 Ef3Wm;C5<r Tivoli PKI RA 5<P<&^7sKv0K$s9H
<k7?
¶ 4758 3Wm;C5<rHQ7F RA N0r]n7?$
4758 3Wm;C5<rHQ7J/Fb"RA N0OEf=5l";-e"J
KeyStore K]I5l^9#7+7"4758 3Wm;C5<rHQ9kH"H+N^9
?<0rHQ7F RA Np>0,Ef=5lkNG"O<I&'"]n,H%5l^
9#
RA 4758 WmU!$k&Q9o<I^?OQ9Ul<:
4758 N?aNQ9o<I^?OQ9Ul<:r~O7F/@5$#
Q9o<I^?OQ9Ul<:N95O$UG9#;-ejF#<rG,=9k?
a"=BN1lr=98zsOXj7J$G/@5$#^?".8zHg8zrH_
go;FHQ7"/J/Hb 1 DNtzr^akHh$G7g&#
RSA 05$:
EfO<I&'"NHQrXj9kH"4758 3Wm;C5<O+0*K RSA "k4
j:`rHQ7F"RA Np>0rEf=7^9#W;XN~OH7FHQ5lk0
5$:r*r7J1lPJj^;s#0N5$:,g-$[I;-ejF#<O/=
5l^9,";-e"&His6/7gsr!Z9kNK,WJ~Vb9/Jj^
9#
51Tivoli PKI =.,$I
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
5.�'(���
J<NMN$:l+r*r7F/@5$#GU)kHMO 1024 G9#
¶ 512
¶ 768
¶ 1024
p>0rO<I&'"K]I9k
EfO<I&'"NHQrXj7?lgO"RA Np>0rO<I&'"K*}*K
]I9k+I&+r*r9k3H,G-^9#
GU)kHMOV$$(WG9#
EW!4758 3Wm;C5<NPC/"CWK*$FO"=N^9?<&-<@1,P
C/"CW5l^9#=NO<I&'",ul?lg" RA N0r:&3HK
JCF7^$^9#3N;:rrh9kKO"77$0rHQ7F RA r)A
e2"77/p>5l?Z@qr{8NZ@q[k@<KF/T9k,W,"j
^9#
VO$WO"X89km1r}r7F$klgKN_*r7F/@5$#m1-H$
5"/7gsKD$FO"41Z<8NX4758 3Wm;C5<Yr2H7F/@5$#
&QWm;C5<&*W7gs
RA H CA ,18^7sK"j"3li, 4758 3Wm;C5<r&Q9klg"3
N*W7gsr*r7J1lPJj^;s#
RA/CA NI}WmU!$k&Q9o<I
4758 3Wm;C5<eN"I_K9Hl<?<&WmU!$kN?aNQ9o<I^
?OQ9Ul<:r~O7F/@5$#V&QWm;C5<&*W7gsW,*r5
lF$klg""WlCHO/)*K"I_K9Hl<?<&WmU!$kr RA *
hS CA H18K7^9#
������5^6^J Tivoli PKI 3s]<MsHKD$FXj7?=.*W7gsr9/m<k7F+
F/@5$#
,Q9k0KQ97?$_j,"klgO"V0XWr/jC/7F"Q97?$3s]<M
sHNH3m^GaCF/@5$#
=.Wm;9rJak`w,G-?i"V!XWr/jC/7F/@5$#
��������=.G<?r]I7F"=.MNPC/"CWrhk3H,G-^9#^?"=liNMrL
N Tivoli PKI 79F`N;CH"CWNpCG<?H7FHQ9k3H,G-kh&KJj
^9#
;CH"CW&<Ir+O9kH"J0N=.+iG<?r$s]<H9k+I&+r
RMil^9#:v9klgO"$s]<H9kMr^`=.G<?&U!$kr*r9k3
H,G-^9#
52 P<8gs 3 jj<9 7.1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
|
|
|
|
|
|
|
|
|
|
|
=.G<?>
=.G<?NU!$k>r~O7^9#U!$kH%Rr~O9k,WO"j^;
s#GU)kHMO DatabaseBackup G9
LN Tivoli PKI 79F`N=.K*$F$s]<H9kU!$kH7F1L7d9$
>0rHQ7F/@5$#>0K9Z<9rH&3HbD=G9,"*Zl<F#s
0&79F`GHQG-J$-fd8zOHQ7J$G/@5$#
77$ Tivoli PKI 5<P<KG<?r$s]<H9k9FCWKD$FO"12Z<8
NX=.G<?N$s]<HYr2H7F/@5$#
=.G<?r]I7F"=.Wm;9r3T9klgO"VNextWr/jC/7^9#*Zl
<F#s0&79F`GHQG-J$U!$k>rXj7?lg";CH"CW&<I
O=lr$59kh&KWmsWHr=(7^9#=.G<?r@(*K]I9k3HJ/
V*;Wr/jC/7F;CH"CW&<Ir*;9kH"Xj7?MO]I5l^;
s#
���,��Tivoli PKI N3N$s9H<k&79F`N?aN=.G<?r]I7?Ji"Mr79F`
K,Q9k,W,"j^9#Mr,Q9kH"CfgStart =.Wm0i`,+O5l^9#=N
Wm;9K*$F"79F`O3s]<MsH&G<?Y<9rn.7"3s]<MsHN=
.U!$kr977^9#
m: 5<P<&3s]<MsH,jb<H&^7seK$s9H<k5lF$klg"=.W
m0i`OY_7F"=.Wm;9N!N9FCWKJ`0K=Njb<H&^7sKP
7FhVrT&h&%7^9# 12Z<8NXjb<H&5<P<N;CH"CWYr2
H7F/@5$#
����������������.����;CH"CW&<I^?O1L> (DN) (G#?<NfG*r`nr9kNK^&9r
HQ9keojK-<\<IrH&lgO"<-N=r4YF/@5$#
+<=k&U)<+9NLV -<9Hm</
DN (G#?<GN`n
LN?V&iYkr*r7"=N?Vr=(9k &puG!N?VK\j^9#8pu
G0N?VK\j^9#
?VbG9/m<k9k# [Page Down] G<K9/m<k7^
9# [Page Up] GeK9/m<k7^
9#
DN (G#?<r*;9k# [Esc] -<#
U#<kIVN\0
[HsINU#<kI+i!NU#<kIX\0
9k#
[Tab] -<#
[HsINU#<kI+i0NU#<kIX\0
9k#
[Shift]-[Tab] -<#
3s\&\C/9bN`\N`n
53Tivoli PKI =.,$I
5.�'(���
+<=k&U)<+9NLV -<9Hm</
`\j9Hbr\09k# <puG<X\07^9#epuGe
X\07^9#
=_=(5lF$k`\r*r7?^^"!NU
#<kIX\09k#
[Tab] -<#
j9H&\C/9bN`\N`n
`\j9Hbr\09k# <puG<X\07^9#epuGe
X\07^9#
=_=(5lF$k`\r*r7?^^"!NU
#<kIX\09k#
[Tab] -<#
i8*&\?sN`n (1 ;CHG 1 U#<kIH+J9)
i8*&\?sj_VG\0&*r9k# <pu*hS&puG!N*r`\X
\07^9#epu*hS8puG0
N*r`\X\07^9#
*;7F!NU#<kIX\09k# [Tab] -<#
A'C/&\C/9GN`n
A'C/&\C/9r*r^?O*rr|9k# 9Z<9&-<#
*;7F!NU#<kIX\09k# [Tab] -<#
3^sI&\?sN`n
3^sI&\?sK\09k# [Tab] -<#
3^sIrBT9k# 9Z<9&-<^?O [Enter] -<#
�����������3N;/7gsGO"QlGN Tivoli PKI H"3l,5]<H9kLN@lHNVNjc@
KD$FWs7^9#QlGGJ$ Tivoli PKI rHQ7F;CH"CW&<IrBT
9klgO"3N;/7gsrN'7"+,N@lGps,=(^?Oh}5lk}!,IN
h&K[Jk+r4YF/@5$#
P?Ia$s@lNXj
QlJ0N@lGP?!=rBT9kWhNlgO" P?Ia$sN=.*W7gs
rXj9kH-K@lr*r7^9#GU)kHMOQlG9#=.NBTfK3N
MrQ97J$H"=JrF$s9H<k7J$Bj"eG3lrQ99k3HOG
-J/Jj^9#
ASCII 8zNHQ
CA"Directory I}T"^?O Directory k<HNG#l/Hj<&Q9^?O1L>
(DN) rXj9kH-KO" ASCII 8zrHQ7J1lPJj^;s#s ASCII 8
z^?O 2 P$H@l8z (|\l^?OfqlJI) r^`Q9>^?O DN r
~O7FOJj^;s#
fql (KNz) GN"WlCHNBT
Netscape Navigator ^?O Netscape Communicator P<8gs 4.05 ^?OP<8gs
4.5 Nfql (KNz) GrHQ9kH";CH"CW&<IN$sGC/9&
Z<8,fql (KNz) GOJ/QlGa5lkD=-,"j^9#Vi&6<N
@l_jG 1 !@l,QlGOJ/fql (KNz) K_j5lF$k3HrN'7
F/@5$#
54 P<8gs 3 jj<9 7.1
=lGbdj,rh7J$lg"RbGN Netscape Nm<+i$:}!K/x9k
Vi&6<N)BKhkbN+b7l^;s#eXjJH7F"Microsoft Internet
Explorer rHCF;CH"CW&<Irm<I7F_F/@5$#
55Tivoli PKI =.,$I
5.�'(���
56 P<8gs 3 jj<9 7.1
���
3NQl8GO"\qGHolF$k77$QldJ8_NJ$Ql"=#rz/HM(il
kQlKD$F"Ql*hSJ,ArjA7F$^9#QlHjANP5OJ<NH*jG
9#
¶ IBM® 3sTe<F#s0-5 (New York: McGraw-Hill, 1994)
¶ American National Standard Dictionary for Information Systems, ANSI X3.172-1990 (Fq,
J(q (ANSI), 1990)
¶ Answers to Frequently Asked Questions, Version 3.0 (California: RSA Data Security ,Inc.,
1998)
N"TO
"/7gsNzr (action history)'ZpsNi$U&5$/kNVK/87?$YsHN_Q#
"/;9)fj9H (access control list (ACL))CjNj=<9NHQrvDf<6<K)B9ka+K:`#
"WlCH (applet)Java Gq+l" Java _9 Web Vi&6<NfGBT5lk3sTe<?<&Wm0i`# VJava "
WlCH (Java applet)WHb@&#
Ef (cryptography)3sTe<?<&;-ejF#<K*$F"?8rEf=7"Ef=5l?F-9HrEf=r|9k
?aN"6}"jJ"*hS}0#
Ef= (cryptographic)G<?NU#r#9?aKG<?rQ99k3H#
Ef= (encrypt):v9kEf=r|3<IrNCF$kT@1,"Ef=r|rPF*j8JkNpsrNk3H,G
-kh&K"psK9/isVkr+1k3H#
Ef=r| (decrypt)Ef=Wm;9r5Ka93H#
Ef!= (encryption/decryption)P]H9k2CTNx+0rHQ7F=NMNG<?rEf=7"!$G=NMO"PHJCF$kk
)0rHQ7FG<?rEf=r|9k#
$s9?s9 (instance)DB2® K*$F"$s9?s9HO"G<?N]IH"Wj1<7gsNBTN?aN@}G<?Y<
9I}D-G"k# #tNG<?Y<9KP7F&LN 1 ;CHN=.Qia<?<rjA9k3H
,G-k#
$s?<MCH (Internet)3sTe<?<VNER*J\3rs!9k"$&*JMCHo</N8g#ERa<kJIN=UH
&'"&GP$9d Web Vi&6<rp7F"3sTe<?<VNj_L.rD=K9k#?H(P"
$/D+NgX,MCHo</eK"j"=NMCHo</,`wNMCHo</Kjs/7F"$s
?<MCHrA.9k#
57Tivoli PKI =.,$I
��
�
$sHiMCH (intranet)LoOU!$"&)<kNemK"k"kHbNMCHo</#$s?<MCHKw?F/Nm8<r
HQ9k"$s?<MCHNI8*#;Q*KO"$sHiMCHO$s?<MCHN1JkH%G"
k# HTML *hS HTTP JI,HQ5lk#
(/9HiMCH (extranet)$s?<MCHKw?F/Nm8<rHQ9k"$s?<MCHNI8*#FRO Web PG"(l/H
mKC/&3^<9"aC;<8Aw"0k<W&'"r,Q7F"\R"Q<HJ<"*hSbt9
?CUVN?E3_eKF#<rA.9kh&KJCF$k#
(sI&(sF#F#< (end-entity)CA J0N"Z@qN/TP]#
*<Ws&79F`Vj_\3 (Open Systems Interconnect (OSI))ISO N5'7?3sTe<?<&MCHo</8`N>0#
*V8'/H (object)*V8'/HX~N_W^?OWm0i_s0G"G<?H=NG<?KX"7?`nHr+W;k=
9kj]Q0#V/i9 (class)Wb2H#
*V8'/H1LR (object identifier (OID))I}eN\*GdjvFilkG<?M#?$WO"j]=8-! 1 (ASN.1) KjA5lF$k#
*V8'/H&?$W (object type)Directory KJ<G-k*V8'/HNo`# ?H(P"H%"qD<"GP$9"M"Wm0i`"^
?OWm;9#
N+TO
,X (hierarchy)trust A'<sK*1k'ZI (CA) N=$N3H#+Jp> CA ^?OGetNk<HNfNk<HG
O^j"(sI&f<6<KZ@qr/T9k CA G*ok#
0 (key)psNEf=^?O|fN?aK"EfGHQ5lktz#
0NPC/"CW*hSj+Pj< (Key Backup and Recovery)Tivoli PKI N3N!=Khj" Tivoli PKI KhCF'Z5l?(sI&(sF#F#<Z@ZH"=l
iKP~9kx+0Hk)0rPC/"CW*hSj+Pj<G-k#Z@q*hS0O PKCS #12 U
!$kK]I5l"3NU!$kOQ9o<IKhCF]n5lk#3NQ9o<IO"Z@qH0,
PC/"CW5lkH-K_j5lk#
0Z" (key pair)sPNEfGHQ5lk"P~9k0NP#l}N0OEf=K">}OEf=r|KHQ5lk#
>[d_MCHo</ (Virtual Private Network (VPN))ECs~GOJ/$s?<MCHrHQ7Fjb<H\3rN)9kd_G<?&MCHo</#f<
6<,ECqRGOJ/$s?<MCH&5<S9&WmP$@< (ISP) rp7F&1MCHo</&
j=<9K"/;99k?a"kHOg}K"/;9&39Hro:G-k# VPN O^?"G<?r
9N;-ejF#<r~e5;k#>hNU!$"&)<k&F/Nm8<GO"aC;<8NbFO
Ef=G-k,"w.5*hS8hN"Il9KD$FOEf=G-J$# VPN F/Nm8<GO"
f<6<OHsMk\3rN)G-k#3N\3}!K*$FO"psQ1CH4N (3sFsDHXC
@<) ,Ef=*hS+W;k=5lk#
58 P<8gs 3 jj<9 7.1
Fql5]<H (National Language Support (NLS))@l"L_"|~A0"*hStMN==r^`"m1<k (Oh) N9[N?aN=JbN5]<H#
F:-? (audit trail)l"N$YsHrjs/9k@}P)NANG<?#F:-?KhCF"hzd$UNh0NzrNH
l<9,D=KJk#
F:/i$"sH (audit client)F:$YsHr Tivoli PKI F:5<P<Kw.9k"79F`bN"ifk/i$"sH#F:/i$
"sHO$YsHrF:5<P<Kw.9k0K"^:F:5<P<HN\3rN)9k# \3,N)
5l?i"/i$"sHOF:5V79F`&/i$"sH&i$Vij<rHQ7F"$YsHrF
:5<P<Kwk#
F:5<P< (Audit server)F:/i$"sH+iF:$YsHru.7F"=N$YsHrF:m0Kq-~` Tivoli PKI 5<P
<#
F:5V79F` (audit subsystem)Tivoli PKI K*$F";-ejF#<KX8N"k"/7gsNm0-?r5]<H9k5V79F
`#3lO,J X9.57 N Public Key Cryptography for the Financial Services Industry K(5l?,JK
X9k+pK`r7F$k#
F:m0 (audit log)Tivoli PKI K*$F"FF:$YsH4HK 1 DNl3<Ir}ak"jl<7gJk&G<?Y<9
bNF<Vk#
p\df=,' (Basic Encoding Rules (BER))ISO 8825 K,j5lF$k"j]=8-! 1 (ASN.1) K>CF-R5l?G<?N(s3<IKX9
k,'#3N,'O"j]=8GOJ/"(s3<IN;!r,j9k#
!)- (confidentiality)5vDNTK3($5lk3H,J$H$&C-#
&LEf"<-F/Ac< (Common Cryptographic Architecture (CCA))gJ IBM N3sTe<F#s0&WiCHU)<`K*1klS7?Ef"Wm<ArHQD=K9k
IBM =UH&'"#FoNWm0i`@lGq+l?"Wj1<7gs&=UH&'"r5]<H9
k# "Wj1<7gs&=UH&'"O CCA 5<S9rFSP7F" DES *hS RSA Ef=r^
`-OJEf!=rBT9k3H,G-k#
&L2<H&'$&$s?<U'<9 (Common Gateway Interface (CGI))Web Z<8H Web 5<P<HNVGpsrAw9k?aN8`*J}0#
&LG<?&;-ejF#<&"<-F/Ac< (Common Data Security Architecture (CDSA))3sTe<?<&Y<9N;-ejF#<&"Wj1<7gsN;-ejF#<&5<S9H;-ej
F#<I}XNqg*J"Wm<ArjA9k"g3*J"<-F/Ac<#3sTe<?<&WiC
HU)<`r"Wj1<7gsKHCFhjB4JbNH9k?aK" Intel KhCF_W5l?#
/i$"sH (client)(1) 5<P<+i&Q5<S9ru1hk!=1L# (2) >N3sTe<?<^?OWm0i`N5<S
9rWa9k3sTe<?<^?OWm0i`#
/i$"sH / 5<P< (client/server),6h}K*1k?0G"l}N5$HNWm0i`,>}N5$HNWm0i`KWarwj"~z
rTDH$&bN#Wa&NWm0i`r/i$"sHH$$"~z&r5<P<H$&#
59Tivoli PKI =.,$I
��
�
/i9 (class)*V8'/HX~N_W^?OWm0i_s0K*$F"&LNjAr&-9kf(K"&LNC-"
*Zl<7gs"*hS6kq$r&-9k*V8'/H&0k<W#
2<H&'$ (gateway)s_9NMCHo</d"Wj1<7gs,_$KL.9k3HrD=K9k!=1L#
3<Ip> (code signing)BTD=Wm0i`rG#8?kp>Gp>9k;!#3<Ip>O"$s?<MCHrL8F[[5
lk=UH&'"N.j-rbak?aK_W5l?#
x+ / k)0Z" (public/private key pair)x+ / k)0Z"Ox+0Ef= (0I}djNrhN?aK Diffie H Hellman Khj 1976 /KR
p5l?) N50NltG"k#=N50KhkH"FMO 1 PN0r~j9k#=Nl}Ox+0"
>}Ok)0HFPlk#FMNx+0OQVjC/JbNH5lkl}"k)0O=NM@1Nk)
K7F*/# w.&Hu.&O!)psr&Q9k,WOJ$#9YFN3_eK1<7gsKOx+
0@1,X?7"k)0,Aw5l?j&Q5lk3HOJ$# ?i+NL.AcMk,p0d=*K
P7F]n5lF$kH$&.QrhjU1k,WObOdJ$# #lNWoO"x+0,=Nf<6
<H".QNV1k ('Z5l?) E}G (?H(P.QNV1kG#l/Hj<NfG) X"U1il
F$J1lPJiJ$@@1G"k# /GbQVjC/ps@1rHQ7F!)aC;<8rw.9k
3H,G-k#7+7"=NaC;<8Ok)0rHCF7+Ef=r|9k3HOG-:"=Nk)
0O"8hH7FU^7?M@1,j-7F$k# 5iK"0Z"Ef=OWi$P7< (Ef=) N
?a@1GOJ/"'Z (G#8?kp>) N?aKbHQG-k#
x+0 (public key)x+ / k)0Z"N&A">NMbHQD=J0#3lKhCF>NM,His6/7gsr0Nj-
TKw.7?j"G#8?kp>r!Z9k3H,G-k# x+0rHCFEf=5l?G<?O"P
~9kk)0KhCFN_Ef=r|9k3H,G-k# Vk)0 (private key)WHPf# Vx+ /
k)0Z" (public /private key pair)Wb2H#
x+0Ef8` (Public Key Cryptography Standards (PKCS))1991 /K RSA Laboratories ,o9N3sTe<?<&Ys@<Ne=TH&K+/7?"Ys@<r
[(?x08`#3liN8`O"RSA Ef="Diffie-Hellman gU"Q9o<I&Y<9NEf="
H%5l?Z@qN=8"EfaC;<8N=8"k)0psN=8"*hSZ@qN=8rVe7F
$k#
¶ PKCS #1 GO" RSA x+0Ef=79F`rHQ7?G<?NEf=N}0KD$FRYF$
k# 3lOG#8?kp>*hSG#8?k&(sYm<Wr=.9k]KHQ9k3HrU^7
F$k#
¶ PKCS #7 GO"EfaC;<8NFQA0rXj7F$k#
¶ PKCS #10 GO"Z@q=AN8`*J=8rXj7F$k#
¶ PKCS #11 GO" (9^<H&+<INh&J) F/Nm8<KM87J$Ef=GP$9NWm0
i_s0&$s?<U'<9rjA7F$k#
¶ PKCS #12 GO"f<6<Nk)0"Z@q"=N>N!)psJIr]I*hS\w9k?aN\
wD=JA0rXj7F$k#
x+0$sUi9Hi/Ac< (public key infrastructure (PKI))x+0Ef=KpE/;-ejF#<&=UH&'"N8`# PKI O"G#8?kZ@q"'ZI"P
?I"Z@qI}5<S9"*hS,6G#l/Hj<&5<S9N79F`G"k#$s?<MCH
eN9YFNhzKX?9kFTN"$GsF#F#<H"Br!Z9k?aKHQ5lk# 3liN
hzKO""$GsF#F#<N!ZrW9k 3 DN`n,X89klg,"k# ?H(P"sFN
w."Wa5"ERa<k&aC;<8Nn.T"^?Ob;hjz-JIrN'9klg,"k#
60 P<8gs 3 jj<9 7.1
-zJDMdH%Khk'ZN?aKx+Ef0Hf<6<NZ@qrHQD=K9k3HKhCF"
PKI O=N\*r.7k2k# PKI Ox+Ef0HZ@qr^`*si$s&G#l/Hj<rs!
7"x+Ef0HZ@qOG#8?kZ@qN!Z"'Zps"*hSG#8?kp>KHQ5lk#
PKI O"!ZNHq*hSx+Ef0NWaKP7FW.Gz(*J~zr9kjJrs!9k#^
?"79F`XNx_*J;-ejF#<eN<Rr1L7";-ejF#<&Vj<A (41j) KP
h9kh&"j=<9r]}9k#GeK" PKI OEWJ&hzN?aKG#8?k&?$`&9?s
W&5<S9rs!9k#
q]E$L."g (International Telecommunication Union (ITU))Fq/\Hd*J;/?<,4Oe*JsVL.MCHo</*hS5<S9KD$F409k?aN
q]*JH%#sVL.NF/Nm8<"!,"*hS8`psKD$FNX3*JPGH%G"k#
q]8`=!= (International Standards Organization (ISO))o$s&0i9+i3sTe<?<&MCHo</&WmH3kKjk"ifkbNN,JN+/HP
GKHokq]*JH%#
N5TO
5<P< (server)(1) MCHo</K*$F">N9F<7gsK!=rs!9kG<?&9F<7gs#?H(P"U!
$k&5<P<# (2) TCP/IP GO">}N5$HN79F`NWarh}9k79F`#/i$"sH
/ 5<P<HFPlk#
5<P<Z@q (server certificate)Web 5<P<, SSL Y<9NHis6/7gsrBT9k3HrD=K9k" CA /TNG#8?k
Z@q#Vi&6<, SSL WmH3krHQ7F5<P<K\39kH"5<P<OVi&6<Kx+
0rwk#3lKhCF5<P<N"$GsF#F#<N'Z,D=KJk#^?"Ef=5l?ps
r5<P<Kw.9k3HbD=KJk#VCA Z@q (CA certificate)W"VG#8?kZ@q (digital
certificate)W"*hS VVi&6<Z@q (browser certificate)Wb2H#
5<VlCH (servlet)Java P~N5<P<KICN!=rC(k"5<P<&NWm0i`#
GeL CA (top CA)PKI CA ,XNGeLK"k CA#
5$HZ@q (site certificate)CA Z@qHwF$k,"CjN Web 5$HG7+-zGJ$Z@q#VCA Z@q (CA certificate)W
b2H#
1L> (distinguished name (DN))Directory KJ<5l?G<?~O`\NlU*J>0# DN O"Directory N,X=$NfG(sHj
<NLVrlU*K1L9k#
psr9QFq8`3<I (American National Standard Code for Information Interchange (ASCII))G<?h}79F`"G<?L.79F`"*hS=liKX"7?!oVNpsr9N?aKHQ5
lk8`3<I# ASCII ;CHO 7 SCHN3<I=8z;CH (QjF#<&A'C/QN 1 SC
Hr^aF 8 SCH) G=.5lk#3N8z;CHO")f8zH0iU#C/&-ci/?<+i
.CF$k#
Z@qhjC7j9H (certificate revocation list (CRL))'ZI,hjC7?Z@qKD$FN"G#8?kp>5l"?$`&9?sWr!5l?j9H#3
Nj9HK"kZ@qOuzT=H_J5lk# VG#8?kZ@q (digital certificate)Wb2H#
61Tivoli PKI =.,$I
��
�
Z@qNH% (certificate extension)X.509v3 Z@qA0N*W7gs!=#Z@qKICU#<kIr^ak3HrD=K9k#8`*J
H%Hf<6<jANH%,"k#8`*JH%O"0d]j7<KD$FNps"/TP]H/TT
N0-"'ZQ9)sJIN5^6^JQSKHQ5lk#
Z@qWmU!$k (certificate profile),WJZ@qN?$W (SSL Z@q^?O IPSec Z@qJI) rjA9kC-N;CH# 3NWmU!
$kO"Z@qNEMdP?rI}9k&(Gr)D# /TTOWmU!$kN>0rQ97?j",
WH5lkZ@qNC- (?H(P-z|V"0NHQ!" DN )sJI) rXjG-k#
Z@q]j7< (certificate policy)&LN;-ejF#<Wor}D"Wj1<7gsNCjN/i9KZ@qr,Q9k+I&+r(
9",'N>0U-;CH#?H(P"CjN'Z?$W,"jjNOONAJSG&Jrhjz-9
kvDrf<6<K?(k+I&+r"Z@q]j7<KhCF(93H,G-k#
p> (sign)k)0rHCFp> (signature) r8.9k3H#p> (signature) O"p>7F$kaC;<8KP7F
+,,U$r}A"=NaC;<8r5'7?3HrZ@9kjJHJk#
p> / !Z (signing/verifying)p>HO"k)NG#8?k0rHCFp> (signature) r8.9k3H#!ZHO"P~9kx+0r
HCF=Np>r!Z9k3H#
7sWk&a<k>wWmH3k (Simple Mail Transfer Protocol (SMTP))$s?<MCHrp7FERa<kr>w9kWmH3k#
9-<^ (schema)Directory X"GO"[Jk*V8'/H&?$WNVNX8rjA7?bt=$#
9^<H&+<I (smart card)Lo/l8CH&+<I[INg-5NO<I&'"G"j"f<6<NG#8?k0rJ<9k#9
^<H&+<IOQ9o<I]n9k3H,G-k#
;-e"&=1CH&l$d< (Secure Sockets Layer (SSL))(sI&f<6<+iOG-k@1+(J$h&K5lF$k;-ejF#<&5<S9,H_~^l
F$k IETF 8`NL.WmH3k#G#8?kK]n5l?L.AcMkrs!9k#
SSL HQD=5<P<OaL"8`N HTTP WaHO[Jk]<HGN SSL \3Waru1~lk#
SSL Nn.9k;C7gsGO" 2 DNbG`VNL.r;CH"CW9k?aK,WJr970Jk
N/8O 1 s@1G"k#=Ne"L.OEf=5lk# SSL ;C7gsN-z|B,Zlk^G"
aC;<8N]4-A'C/,31FBT5lk#
;-ejF#<&Ia$s (security domain)Z@q,18 CA KhCFZ@5l?0k<W (kH"nH0k<W^?OnHA<`"5i!X^?
O/\!X)#"k CA ,p>7?Z@qrj-7F$kf<6<O"18 CA ,p>7?Z@qr]
}7F$kf<6<N"$GsF#F#<r.j9k3H,G-k#
j_Z@ (cross-certification)Hi9H&bGkN 1 D#"k CA ,LN CA KZ@qrwj"=NfK"+,Nk)p>0KP~
9kx+ CA 0r^akH$&A0#j_Z@KhCF""kI}Ia$sbN/i$"sH&79F
`d(sI&(sF#F#<,"LNIa$sbN/i$"sH&79F`d(sI&(sF#F#<
HB4KL.G-kh&KJk#
62 P<8gs 3 jj<9 7.1
N?TO
?<2CH (target)Xj^?O*r5l?G<?&=<9#
PNEf (symmetric cryptography)Ef=HEf=r|N>}K180rH&Ef#=N;-ejF#<O0K++CF$k#0,MjK
OCF7^&H"/GbaC;<8NEf=*hS|frT(k3HKJk# 3_eK1<7gsN!
)-O"0N!)-,]?lkBjK*$F]}5lk# VsPNEf (asymmetric cryptography)WH
Pf#
PN0 (symmetric key)Ef=HEf=r|N>}KH(k0#VPNEf (symmetric cryptography)Wb2H#
?$W (type)V*V8'/H&?$W (object type)Wr2H#
A'<sEv-!: (chain validation)Xj5l?Z@qN/T5HJC?"5'5l?,XbK"k9YFN CA p>NEv-!:#?H(
P""k CA Np>U-Z@q,LN CA KhCF/T5l?lg"f<6<,s(7?Z@qNEv
-!:NVK">}Np>NEv-!:,Tolk#
j]=8-! 1 (Abstract Syntax Notation One (ASN.1))psG<?N=8jAKHQ5lk ITU =-!N 1 D#$/D+N1cG<?&?$WrjA7"3
liN?$Wr1L9k?a"*hS3liN?$WKMrXj9k?aN=-rXj9k#3liN
=-O"psNj]=8rjA9k3H,,WJH-K$DGb,Q9k3H,G-"ps,AwQK
INh&K(s3<I5lF$k+K{ilk3HOJ$#
G<?Ef=,J (Data Encryption Standard (DES))1977 /Kx0N,JH7F"aj+"./\KhCFjA5lx'5l?Ef=VmC/Ef# IBM
,GiK+/7?# DES O=Nx=Jh"8f*K&f5lF*j"h/Nil"-/HolF$kE
f79F`HJCF$k#
DES O7saHjC/JEf79F`G"k#L.KHQ9klg"w.&Hu.IG18k)0rN
CF$k,W,"k# 3N0OaC;<8NEf=HEf=r|N>}GHQ5lk#5iK DES
O"Ef=5l?AGU!$krO<I&G#9/K]I9kH$C?"7s0k&f<6<NEf=
KbHQG-k# DES NVmC/&5$:O 64 SCHG"Ef=N]K 56 SCHN0rHQ9k#
viOO<I&'"GNBuQK_W5l?bNG"k# NIST (Fq".ps&;QI) GO"x0N
"aj+"./\NEf=,JH7F DES r 5 /4HKF'j7F$k#
G<?&9Hl<8&i$Vij< (Data Storage Library (DL))Z@q"CRL"0"]j7<"*hS;-ejF#<X"N>N*V8'/HNlS7?G<?&9H
"XN"/;9rD=K9kb8e<k#
G<bs (daemon)PC/0i&sIG?9/rBT9kWm0i`#G<bsNu1r,WH9kuV,/87?H-K
O"E[*KFSP5lk#LoO79F`KhCF+0*K8.5lkNG"f<6<OG<bsN
8_rU19k,WOJ$#G<bsO":CHT/7F$klgb"lP"$s?<PkrV$F7
9F`,G<bsrF8.9klgb"k#
3NQl (demon H18h&K/;9k) O@C+ihil?# eK"Disk And Execution MONitor
(G#9/*hSBTbK?<) N,zl DAEMON H$&}~rU1?#
63Tivoli PKI =.,$I
��
�
G#8?kZ@q (digital certificate).QN"kh0T!X+iDM^?O!MKP7F/T5lkER*J.QZ@#FZ@qKO"CA N
k)0rHCFp>,J5lk# 3lO"DM"kH"^?OH%N"$GsF#F#<N]ZHJ
k#
CA NrdKbM89k,"Z@qO=lr@kM,$s?<MCHeG e-business rT&"B,"k
3HrZ@G-k#"kU#G"G#8?kZ@qO?>HvZdeUqJHvuNrdKwF$k#
=lO"P~9kk)0N]-T,CjN e-business h0dH%bK*1k>N!=rBT9k"B,
"k3HrZ@9kbNG"k#
Z@qKO"=l,Z@9k(sF#F#< (M"^7s"3sTe<?<&Wm0i`N$:l+) K
X9kps,^^lk#3NpsNltH7F=N(sF#F#<NZ@Q_Nx+0b^^lk#
G#8?kp> (digital signature)8q^?OG<?KIC5lk3<I=aC;<8G"w.&N"$GsF#F#<rZ@9kbN#
G#8?kp>O"jq-Np>hjb$e`N;-ejF#<rs!9k3H,G-k#=N}3
O"G#8?kp>,Ef=5l?>0dl"N1cJ1L3<IJIGOJ/"`7m"p>5lF
$kaC;<8NEf=5l?WsG"k?a# 3&7F"aC;<8KG#8?kp>r:U9l
P"w.&rNBK1LG-k# (w.&N0@1,p>rT&3H,G-k#)!^?"=lKhCF
p>5lF$kaC;<8NbFrNj9k3HKbJk (Ef=5l?aC;<8WsOaC;<8b
FKlW7F$k,W,"j"=&GJ1lPp>O5zHJk)# 7?,CF"Ws"D^jOC7e
,lW7J/Jk?a"G#8?kp>r 1 DNaC;<8+i3T<7FLNbNK,Q9k3HO
G-J$# 9GKp>5l?aC;<8K?i+NQ9rC(?lgb"p>O5zKJk#
G#8?kp>"k4j:` (Digital Signature Algorithm (DSA))G#8?kp>8` (Digital Signature Standard) NltH7FHQ5lkx+0"k4j:`#3lOE
f=KOH(:"G#8?kp>@1KHQ5lk#
G#8?k'Z (digital certification)V'Z (certification)Wr2H#
G#l/Hj< (Directory)3_eK1<7gs (ERa<k"Efr9JI) KX"9kpsN0m<Pk&j]8Hj<H7FU
^5l?,X=$# Directory O"x+0"Z@q"Z@qhjC7j9HJIN PKI =$KTDgJ
CjN"$F`rJ<9k#
Directory NfNG<?ODj<=$N,XKT.5l"=Nk<HOZNlVeG"k#eLlYkN
H%O"D9Nq"/\""k$OkHr=7F$k3H,?$#f<6<*hSGP$9OaL"=
l>lNZNv<NU (j<U) H7F=5lk# 3liNf<6<"H%"Oh"q"*hSGP$
9KO=l>lH+N(sHj<,"k# F(sHj<O"?NXj5l?0-G=.5lk#3li
N0-O"(sHj<,=9*V8'/HKD$FNpsrs!9k#
Directory NfNF(sHj<KO"X"7?1L> (DN) ,kSU$F$k#B$&N*V8'/HK
G-N0-G"k3H,o+CF$k0-,(sHj<KH_~^lk~"1L>OG-HJk#cH
7FJ<Nh&J DN rM(kH"33GOq (C) ,Fq (US)"H% (O) , IBM"H%1L (OU)
,Hi9H"*hS&L> (CN) , CA1 HJCF$k#
C=US/O=IBM/OU=Trust/CN=CA1
Aw)fWmH3k / $s?<MCH&WmH3k (Transmission Control Protocol/Internet Protocol(TCP/IP))
m<+k&(j"&MCHo</ (LAN) *hS-hMCHo</ (WAN) N?aNPyL.\3!=r
5]<H9kl0NL.WmH3k#
P? (enrollment)Tivoli PKI K*$F"HQ9k'Zpsr$s?<MCHrp7F~j9k?aNWm;9#P?KO
Z@qN=A"97"*hShjC7,^^lk#
64 P<8gs 3 jj<9 7.1
P?!=
Vi&6<"k<?<"ERa<k";-e"&/i$"sH&"Wj1<7gsJIN(sF#F#
<rP?7?j"Z@qr=Ni$U&5$/kKo?CFI}7?j9k?aNCLJj!rs!9
k" Tivoli PKI "Wj1<7gs&Ul<`o</#
P?I (Registration Authority (RA))P?WarGiKu1hC?~+iZ@q,hjC5lk~Kjk^G"kHNH3eN]j7<,N
BK,Q5lkh&"G#8?kZ@qrI}9k=UH&'"#
P?T
RA DeskTop K"/;99k3HH"Z@q*hSZ@qNWarI}9k3HHrvD5l?f<6
<#
P?0- (enrollment attribute)P?U)<`KH_~^lkP?Qt#=NMO"P?fK}85l?psr?G9k#P?0-NM
O'ZpsN483~VKo?CFljG"k#
P?G<?Y<9 (registration database)'ZWaH/TQ_Z@qKD$FNpsr^`G<?Y<9#3NG<?Y<9KO"P?G<?
H"i$U&5$/k|VfKZ@qG<?XC(ilk9YFNQ9,]I5lk#3NG<?Y<
9O"RA Wm;9H]j7<P}k<As"^?OP?TKhCF97G-k#
P?Ia$s (registration domain)CjNZ@qP?Wm;9KX"7?l0Nj=<9"]j7<"*hS=.*W7gs#Ia$s>
O"P?!=rBT9k?aKHQ5lk URL N5V;CHG"k#
P?Wm;9 (registration process)Tivoli PKI G"f<6<*hSf<6<Nx+0rZ@7F"CjNhzK2CG-kh&K9k?a
N"f<6<Ev-!:N9FCW#3NWm;9Om<+k^?O Web Y<9GTol"+0=9k
3Hb"MV,I}9k3HbG-k#
P?Qt (enrollment variable)VP?0-(enrollment attribute)Wr2H#
P?0h} (preregistration)Tivoli PKI K*$FO""kf<6< (LoOI}T) ,"LNf<6<NP?rT(kh&K9kWm
;9#Wa,5'5lkH"RA O"f<6<,eG Tivoli PKI /i$"sH&"Wj1<7gsrH
Q7FZ@qrh@9k3HrvD9kpsrs!9k#
C=df=,' (Distinguished Encoding Rules (DER))BER KP7FC(ilk)s# DER O(s3<I,',vF9k(s3<I&?$WNf+i 1 D
@1*r7"w.&N*W7gsr9YFS|9k#
Ia$s (domain)V;-ejF#<&Ia$s (security domain)W*hS VP?Ia$sWr2H#
Hi9FCI&3sTe<?<&Y<9 (trusted computer base (TCB))H%N3sTe<?<&;-ejF#<&]j7<rlW7F\T9k"=UH&'"WG*hSO<
I&'"WG#;-ejF#<&]j7<N\TKFAr?(&kWG (^?O=Nh&JWGNlt)
O"Ilb;-ejF#<KX87F*j"TCB NltG"k# TCB O";-ejF#<NInIG
O^l?*V8'/HG"k#;-ejF#<&]j7<r\T9k!=KO41;,"CFOJi
:"vD5lF$J$79F`C"KWm0i`,"/;99kNrI0bNGJ1lPJiJ$#
Hi9H&Ia$s (trust domain)=NZ@q,18 CA KhCFZ@5l?"l0N(sF#F#<#
65Tivoli PKI =.,$I
��
�
Hi9H&bGk (trust model)'ZI,>N'ZIK'Zr?(k}!rD+5Ik=$=,'#
His6/7gs ID (transaction ID)P?0h}NP?WaXN~zH7F"RA ,Xj9kID#f<6<, Tivoli PKI /i$"sH&"W
j1<7gsrBT7F"5'0NZ@qrh@9k3HrD=K9k#
HjWk DES (triple DES)?8r 3 sEf=9kPN"k4j:`#3lrT&}!O$m$m"k,"?EEf=NGbB4J
AO" 3 DNL9N0rH&HjWk DES G"k#
HsMk (tunnel)VPN F/Nm8<K*$F"$s?<MCHrp7Fn.5lk*sG^sIN>[ 2 O@V\3#
\3f"jb<H&f<6<O"B4J"Ef=*hS+W;k=5l?psr"HsMkrHCF&
1d_MCHo</N5<P<Hr99k3H,G-k#
NJTO
bt=$ (internal structure)V9-<^ (schema)Wr2H#
'Z (authentication)L.N2CTN"$GsF#F#< (H5) r".jN*1kE}G=L9k?aNWm;9#
'Z (certification).QN"kh0T!X,ER*J.QZqr/T9k]NWm;9#=N.QZqO"DM"kH"^
?OH%N"$GsF#F#<N]ZHJk#
'ZI (certificate authority (CA))H%N;-ejF#<&]j7<K>CF"]n5l?ER*"$GsF#F#<rZ@qH$&AG
djvFkU$r}D=UH&'"# CA O RA +iN=Arh}7FZ@qN/T"97"*hSh
jC7rT&# CA O"Z@qH CRL r Directory Kx=9k?aK"RA Hj_nQ9k#VG#
8?kZ@q (digital certificate)Wb2H#
'Zps (credential)'ZNr9K*$F=NMN"$GsF#F#<r@i+K9kNKHQ5lk!)ps#MCHo<
/&3sTe<F#s0D-K*1kGblL*J?$WN'ZpsO" CA ,n.*hSp>7?Z
@qG"k#
NOTO
P$H3<I (bytecode)Java 3sQ$i<,8.7"Java $s?<Wj?<,BT9k"^7sKM87J$3<I#
O$Q<F-9H (hypertext)IT,^&9G/jC/7FLN8qr!w7F=(9k"l"g"0iU#C/9r^`F-9H#
3liNl"g"^?O0iU#C/9rO$Q<js/H@&#=liKhk!wrjs/H$&#
O$Q<F-9H&^</"CW@l (Hypertext Markup Language (HTML))Web Z<8N3<G#s0N?aN^</"CW@l# SGML KpE$F$k#
/TQ_Z@qj9H (issued certificate list (ICL))9GK/T5l?Z@qH=liN=_Nu7KX9k04Jj9H# Z@qKO"7j"kVfHu
Vr5Kwz,U1ilk# 3Nj9HO CA KhCF]i5l"CA G<?Y<9KJ<5lk#
66 P<8gs 3 jj<9 7.1
S8M9&Wm;9&*V8'/H (business process objects)CjNP?`n (?H(P"P?WaNu7N!:d"x+0,w.Q_G"k3HN!ZJI) NBT
KHQ9k3<IN;CH#
S8M9&Wm;9&FsWl<H (business process template)Xj7?gxGBT5lk"S8M9&Wm;9&*V8'/HN;CH#
sPNEf (asymmetric cryptography)Ef=HEf=r|K"[JksPNN0rHQ9kEf#Ff<6<OlPN0ru1hk#3N&
Ax+0O4w,"/;9D=G"j"k)0OlMlMNf<6<@1KNilF$k# ]n5l?
hzO"x+0H=lKP~9kk)0H,lW7?H-@1KTol"=N]KhzNEf=r|,
D=KJk# 3lrV0Z"EfWHb@&#VPNEf (symmetric cryptography)WHPf#
s1|L. (asynchronous communication)w.&Hu.&,1~K_J7F$k3Hr,WH7J$L.N}0#
]'9k (repudiate)VcCF$kH7F]j9kTY#?H(P"CjNaC;<8rw.7?3Hd"CjNWar/.
7?3Hr]j9k3H#
]'TD (non-repudiation)p>T,8qKp>7?H$&vBr]'G-J$h&"G#8?kk)0rHQ9k3H#
k)0 (private key)x+ / k)0Z"N&A"=Nj-T@1,HQD=J0#3lKhCF"j-TOd*JHis6/
7gsru1hC?j"G#8?kp>rT&3H,G-k#k)0Gp>5l?G<?O"P~9k
x+0KhCFN_!Z9k3H,G-k# Vx+0 (public key)WHPf# Vx+ / k)0Z"Wb
2H#
8`FQu~Xj@l (Standard Generalized Markup Language (SGML))^</"CW@lr-R9k?aN,J# HTML O SGML KpE$F$k#
U!$"&)<k (firewall)MCHo</VNpsN.lr)B9kNKHQ5lk"MCHo</VN2<H&'$#LoO0t
+iN5vDNHQ+ibtMCHo</r]n9k\*GHQ5lk#
U!$k>wWmH3k (File Transfer Protocol (FTP))3sTe<?<VNU!$k>wKHQ9k"$s?<MCHN/i$"sH / 5<P<&WmH3
k#
Wi$P7< (privacy)G<?N5vDN+(+iN]n#
Vi&6< (browser)VWeb Vi&6< (Web browser)Wr2H#
Vi&6<Z@q (browser certificate)G#8?kZ@qO"/i$"sH&5$INZ@qHb@lO"CA +i"SSL NHQD=J
Web 5<P<rp7F/T5lk#Z@qN]}TO"Ef=5l?U!$kK~C?0Khj"G<
?NEf="Ef=r|"*hSp>rT&3H,G-k#3liN0O"Lo"Web Vi&6<,]
I9k#ltN"Wj1<7gsGO"9^<H&+<I^?O>NaG#"K0r]I9k3H,G
-k# VG#8?kZ@q (digital certificate)Wb2H#
Wm-7<&5<P< (proxy server)"/;9Wa& (3sTe<?< A) H"/;95lk& (3sTe<?< B) Ng)Ar9kbN#
7?,CF"(sI&f<6<,3sTe<?< A +iN~zrWa7?lg"3NWaOWm-7
67Tivoli PKI =.,$I
��
�
<&5<P<Kw.5lk# Wm-7<&5<P<OWarT$"3sTe<?< B +i~zru1
hj"=N~zr(sI&f<6<K>w9k# Wm-7<&5<P<O"U!$"&)<kNb&+
io<kI&o$I&&'V (WWW) j=<9K"/;99keG-QG"k#
WmH3k (protocol)3sTe<?<VL.N?aN,'KD$FNgU#
8qEf0 (document encrypting key (DEK))LoO"7saHjC/JEf!=0#?H(P"DES#
Fq,J(q(American National Standards Institute (ANSI))x'NH%,FqK*1k+/*)H,Jrn.7]i9k?aK"=Nj3-r)j9kH%#=$
HT"CqT"*hSlLNX4"kM9N0k<WG=.5lk#
?8 (cleartext)Ef=5lF$J$G<?#?8 (plaintext) H1A#
?8 (plaintext)Ef=5lF$J$G<?#?8 (cleartext) H1A#
]4- (integrity)79F`,G<?N5vDN~QrK_7F$klgK"79F`OG<?N]4-r]n7F$kH
$&# (l}"G<?N5vDN+(rK_7F$klgO"G<?N!)-r]n7F$kH$&#)
]4-!: (integrity checking)0tN3s]<MsHHNHis6/7gsNkLH7F8.5lkF:l3<IN!:#
]j7<P}k<As (policy exit)P?!=K*$F"H%,jA7"P?"Wj1<7gs,FSP9Wm0i`# F]j7<P}k<
AsGXj5l?,'K>$"H%NH3e*hS;-ejF#<eNWjU!ls9,P?Wm;9
K,Q5lk#
N^TO
aC;<8N'3<I (message authentication code (MAC))w.&Hu.&HG&-5lkk)0#w.&O'ZrT$"u.&O!:rT&# Tivoli PKI GO"
MAC 0O CA 3s]<MsH*hS Auditing 3s]<MsHN KeyStore K]I5lk#
aC;<8&@$8'9H (message digest)$UN5$:NaC;<8rhj"Gj9NtLr8.9k"TDUU!s/7gs# MD5 OaC;
<8&@$8'9H&"k4j:`Nlc#
b8ei9 (modulus)RSA x+0Ef79F`GO" 2 DNg-JGt p *hS q NQ (n)# RSA b8ei9NG,5$
:O;-ejF#<N,WYKM89k# b8ei9,g-1lP"=l@1;-ejF#<bbYK
Jk# =_N RSA i\iHj<d)N0N5$:O"0NHQWhK~8F"!Nh&KJCF$
k#DMHQGO 768 SCH"kHGNHQGO 1024 SCH" CA N0Z"JINh&K-oaFE
WJ0NlgO 2048 SCH# /J/Hb 2004 /^GO"768 SCHN0GB4G"kHM(il
k#
68 P<8gs 3 jj<9 7.1
NdTO
f<6<'Z (user authentication)aC;<8N/.5,"1LD=J"aC;<8N5vJj-TG"k+I&+rEv-!:9kWm
;9#L.7F$kjj,"=|7?H*jNf<6<^?O79F`G"k+I&+bEv-!:9
k#
Wa ID (request ID)RA XN'ZWarlU*K1L9k 24 8z+i 32 8z^GN ASCII M#'ZWaHis6/7g
sG3NMrHQ7F"=NHis6/7gsKX"7?Wa^?OZ@qNu7r!w9k3H,G
-k#
?. (authorization)j=<9XN"/;9NvD#
NtzO
4758 PCI Ef3Wm;C5<(4758 PCI Cryptographic Coprocessor)Wm0i`D=G"~QK?~9k"Ef PCI P9&+<I#b-=N DES *hS RSA Efh}r
s!9k#Efh}O+<IeN]n5l?(s/m<8c<NfGBT5lk#+<IO FIPS PUB
140-1 lYk 4 ,JN7JJWoK,g9k#=UH&'"O]n5l?(s/m<8c<NfGBT
G-k#?H(P"/l8CH&+<IhzNh}K SET™8`rHQG-k#
A
ACL"/;9)fj9H (Access control list)#
ANSIFq,J(q (American National Standards Institute)#
ASCIIpsr9QFq8`3<I (American National Standard Code for Information Interchange)#
ASN.1j]=8-! 1 (Abstract Syntax Notation One)#
B
base64 3<I= (base64 encoding)MIME GP$Jj<&G<?rAw9k?aNlL*J}!#
BERp\df=,' (Basic Encoding Rules)#
C
CA'ZI (Certificate authority)#
CA ,X (CA hierarchy)Tivoli PKI N5'=$N 1 D#GeLK 1 DN CA rV-"=N<K>0N CA NXrGg 4 DV
/H$&=$#f<6<^?O5<P<O""k CA KP?5lkH"=N CA ,p>7?Z@qru
1hj"eNXN5',XrQ59k#
69Tivoli PKI =.,$I
��
�
CA 5<P< (CA server)Tivoli PKI 'ZI (CA) 3s]<MsHQN5<P<#
CA Z@q (CA certificate)Web Vi&6<,f<6<NWaK~8F"+,N'17F$J$ CA +iu1~lkZ@q#Vi&
6<O"3NZ@qrHQ7F"18 CA ,/T7?Z@qr]}7F$k5<P<HNL.r'Z9
k3H,G-k#
CAST-6464 SCHNVmC/&5$:H 6 SCHN0rHQ9kVmC/Ef"k4j:`# Carlisle Adams
aH Stafford Tavares a,_W7?#
CCAIBM Common Cryptographic Architecture#
CDSA&LG<?&;-ejF#<&"<-F/Ac< (Common Data Security Architecture)#
CGI&L2<H&'$&$s?<U'<9 (Common Gateway Interface)#
CRLZ@qhjC7j9H (Certificate revocation list)#
CRL x=$s?<Pk (CRL publication interval)CRL +i Directory XNj|*Jx=N$s?<Pk~VrXj7?" CA =.U!$kbN_jM#
D
DEK8qEf=0 (Document encrypting key)#
DERC=df=,' (Distinguished Encoding Rules)#
DESG<?Ef=,J (Data Encryption Standard)#
Diffie-Hellman5]nNaG#"NeG&Q0rN)9k?aN}0#/@TN>0 (Diffie *hS Hellman) +i?>
5l?#
Directory 5<P< (Directory server)Tivoli PKI K*1k IBM SecureWay® Directory# 3N Directory O LDAP ,Jr5]<H7"Y<9
H7F DB2 rHQ9k#
DLG<?&9Hl<8&i$Vij< (Data Storage Library)#
DN1L> (Distinguished name)#
DSAG#8?kp>"k4j:` (Digital Signature Algorithm)#
70 P<8gs 3 jj<9 7.1
E
e-businessMCHo</*hS3sTe<?<rHC?&hz#J*d5<S9Ndc,^^lk#^?"G#8
?kL.rHC?qbN>wb^^lF$k#
e-commerceS8M9Vhz# (\R"a<+<"&9"=N>NVG) $s?<MCHeGN&J*hS5<S9N
dc,^^lk# e-business NgWJWGG"k#
F
FTPU!$k>wWmH3k (File Transfer Protocol)#
H
HTMLO$Q<F-9H&^</"CW@l (Hypertext Markup Language)#
HTTPHypertext Transaction Protocol#
HTTP 5<P< (HTTP server)Vi&6<dMCHo</bN>NWm0i`HN Web Y<9N3_eK1<7gsrh}9k5<P
<#
Hypertext Transaction Protocol (HTTP)Web VGO$Q<F-9H&U!$kr>w9k?aN$s?<MCHN/i$"sH / 5<P<&W
mH3k#
I
ICL/TQ_Z@qj9H (Issued certificate list)#
IETF (Internet Engineering Task Force)$s?<MCHNWmH3k;Q+/KG@rvFF$k0k<W#MCHo</_WT"*Zl<?
<"Ys@<"*hS4:wNq]*J3_eKF#<G=.5lk# IETF O"$s?<MCH&"
<-F/Ac<N+/H"$s?<MCHN_jJHQKX4r~1F$k#
IniEditorTivoli PKI G=.U!$kNT8KHQ9kD<k#
IPSecIETF ,+/7?"$s?<MCH&WmH3k&;-ejF#<N8`,J# IPSec OEf;-ej
F#<&5<S9rs!9k?aK_W5l?MCHo</XWmH3kG"'Z"]4-""/;9
)f"*hS!)-NH_go;r@pK5]<H9k#'Z!=,/OJ?a"$s?<MCHP3
G 2 O@VNB4J\3rN)9k?aNWmH3kH7F"?/N VPN =JNYs@<,NQ7F
$k#
ISOq]8`=!= (International Standards Organization)#
71Tivoli PKI =.,$I
��
�
ITUq]E$L."g (International Telecommunication Union)#
J
JavaMCHo</X~G"WiCHU)<`FQN Sun Microsystems, Incorporated ,+/7?3sTe<?
<&F/Nm8<N;CH# Java D-O"Java OS"FoWiCHU)<`QN>[^7s"*V8'
/HX~NJava Wm0i_s0@l"*hS$/D+N/i9&i$Vij<G=.5lk#
Java "Wj1<7gs (Java application)Java @lG++l?H)?Wm0i`# Web Vi&6<N3sF-9HN0GBT5lk#
Java "WlCH (Java applet)V"WlCH (applet)Wr2H# VJava "Wj1<7gs (Java application)WHPf#
Java >[^7s (Java Virtual Machine (JVM))P$H3<INrar4v9k"Java BT~D-Nlt#
Java /i9 (Java class)Java Wm0i`&3<INl1L#
Java @l (Java language)Sun Microsystems KhCF+/5l""WlCH*hS(<8'sH&"Wj1<7gsGHQ9kh
&CK_W5l?Wm0i_s0@l#
K
KeyStoreTivoli PKI 3s]<MsHN'Zps (0*hSZ@qJI) r"Ef=5l?A0G]I9k?aN
DL#
L
LDAPLightweight Directory Access Protocol#
Lightweight Directory Access Protocol (LDAP)Directory XN"/;9KHQ5lkWmH3k#
M
MACaC;<8N'3<I (Message authentication code)#
MD2Ron Rivest a,_W7?" 128 SCHNaC;<8&@$8'9H&OC7e&U!s/7gs#
PEM WmH3kNfG MD5 H&KHQ5lk#
MD4Ron Rivest a,_W7?" 128 SCHNaC;<8&@$8'9H&OC7e&U!s/7gs#
MD2 hjbt\.$#
72 P<8gs 3 jj<9 7.1
MD5Ron Rivest a,_W7?"R}~aC;<8&@$8'9H&OC7e&U!s/7gs# MD4 r~
17?P<8gs# MD5 O"~OF-9Hr 512 SCHNVmC/G" 16 DN 32 SCH&5VV
mC/K,d7Fh}9k# "k4j:`NPOO 4 DN 32 SCH&VmC/N;CHG"j"1
lN 128 SCH&OC7eMrA.9kh&K=lr"k9k# ^?"PEM WmH3kNfG MD2
H&KHQ5lk#
MIME (Multipurpose Internet Mail Extensions)8z;CHN[Jk@lNF-9Hrr99k3HrD=K9k"+3KxQG-kEMN;CH#^
?"$s?<MCHNa<k8`rHQ9k?/N[Jk3sTe<?<&79F`VG^kAaG#
"ERa<krr99k3HbD=K9k#?H(P"ERa<k&aC;<8KO US-ASCII J0N
8z;CHd"jCA&F-9H"$a<8"*hS5&sIr^ak3H,G-k#
N
National Security Agency (NSA)Fq"./\Nx0J;-ejF#<!X#
NISTFq".ps&;QI (National Institute of Standards and Technology)#50KO NBS (National Bureau
of Standards) H$&# 3sTe<?<&Y<9N:H&K*1k++l?8`*hSj_`n-rdJ
7F$k#
NLSFql5]<H (National language support)#
nonce5<P<^?O"Wj1<7gs+iwilF/k"f<6<N?.rWa9k8zs#'Zraai
l?f<6<Ok)0rHCF nonce Kp>9k#f<6<Nx+0Hp>5l? nonce O"'ZrW
a7?5<P<^?O"Wj1<7gsKwjV5lk# !$G5<P<O"f<6<Nx+0rHC
F"p>Q_ nonce N|frn_k# |f5l? nonce ,"GiKwC?5N nonce H18G"l
P"f<6<O'Z5lk#
NSANational Security Agency#
O
ODBC*<Ws&G<?Y<9&3M/F#SF#< (Open Database Connectivity)#
Open Database Connectivity (ODBC)[JkG<?Y<9&79F`K"/;99k?aN,J#
OSI*<Ws&79F`Vj_\3 (Open Systems Interconnect)#
P
PC +<I (PC card)9^<H&+<IKwF*j"PCMCIA +<IHFPlk3Hb"k#9^<H&+<Ihjbddg
-/"LoOFLbg-$#
73Tivoli PKI =.,$I
��
�
PEMprivacy-enhanced mail#
PKCSx+0Ef8` (Public Key Cryptography Standards)#
PKCS #1Vx+0Ef8` (Public Key Cryptography Standards)Wr2H#
PKCS #10Vx+0Ef8` (Public Key Cryptography Standards)Wr2H#
PKCS #11Vx+0Ef8` (Public Key Cryptography Standards)Wr2H#
PKCS #12Vx+0Ef8` (Public Key Cryptography Standards)Wr2H#
PKCS #7Vx+0Ef8` (Public Key Cryptography Standards)Wr2H#
PKIx+0$sUi9Hi/Ac< (Public key infrastructure)#
PKIXX.509v3 Y<9N PKI#
PKIX CMPPKIX Z@qI}WmH3k (PKIX certificate management protocol)#
PKIX listenerCjNP?Ia$s, Tivoli PKI /i$"sH&"Wj1<7gs+iNWar listen 9kNKH&&
Q HTTP 5<P<#
PKIX Z@qI}WmH3k (PKIX certificate management protocol (CMP))PKIX K`r9k"Wj1<7gsHNL.rD=K9kWmH3k# CMP ,p\His9]<H&
a+K:`H7F TCP/IP rH&NKP7F"F=1CHr^?,kj]X,8_7^9# 3lKhC
F"ICN]<js0&His9]<HN5]<H,D=KJj^9#
privacy-enhanced mail (PEM)$s?<MCHNWi$P7<,/=5l?a<k8`# Internet Architect Board (IAB) ,NQ7?b
NG"$s?<MCHeGERa<kN]nrs!9k# PEM WmH3kO"Ef="'Z"aC;
<8]4-"*hS0I}Nw(rs!9k#
R
RAP?I (Registration authority)#
RA Desktop'ZpsKX9kWarh}7"'ZpsN83~VKo?CFI}9k?aN0iU#+k&$s?
<U'<9r RA Ks!9k Java "WlCH#
RA 5<P< (RA server)Tivoli PKI P?I3s]<MsHQN5<P<#
74 P<8gs 3 jj<9 7.1
RC2RSA G<?&;-ejF#<QK Ron Rivest ,_W7?DQ05$:&VmC/NEf# RC HO
Ron’s Code ^?O Rivest’s Cipher N,G"k#3lO DES hjb./"DES rAg&II/V-9
(kbNH7F_W5l?# DgJ0N!wKP9kB4-O"HQ9k0N5$:KhCF DES r
esk3Hb<sk3Hb"k# =NVmC/&5$:O 64 SCHG"j"=UH&'"GO DES
N 2 A 3 \N.5KJk# RC2 O DES H18b<IGHQG-k#
Software Publishers Association (SPA) HFq/\HNgUKhj" RC2 KOCLJOL,?(il?#
7?,CF"LoNEfN"PNj3-KfYF""PN5'Nj3-,J1G~V,++iJ$#?
@7";~VG"PN5'r@k?aKO"?/Nc0O"kbNN"=JN RC2 05$:r 40 SC
HK)B7J1lPJiJ$#M(@k"ifkEf+iJkg-JwzF<Vkrv0KW;7h&
H9k/~TrK_9k?aK"ICN8zsrHQ9k3HbG-k#
RSAx+0Ef"k4j:`#=N>O/@TN,8zKAJsG$k (Rivest"Shamir"*hS Adelman)#
Ef=*hSG#8?kp>KHQ5lk#
S
Secure Electronic Transaction (SET)sHi9FCI&MCHo</eGN]n5l?/l8CH&+<I^?O}B6X+<IKhkY'
$rFWK9kH&8`#Z@qN/T,,WH5lk?a"3N8`KO+<I]-T"&9"*h
S+<I/TdTN'ZrT&3H,H_~^lF$k#
SETSecure Electronic Transaction
SGML8`FQu~Xj@l (Standard Generalized Markup Language)#
SHA-1 (Secure Hash Algorithm)G#8?kp>8` (Digital Signature Standard) HHbKHQ9k?aK NIST H NSA KhCF_W
5l?"k4j:`#p\HJk8`O Secure Hash Standard G"j" SHA O=N8`K*$FHQ
9k"k4j:`G"k# SHA O 160 SCHNOC7er8.9k#
SMTP7sWk&a<k>wWmH3k (Simple Mail Transfer Protocol)#
SSL;-e"&=1CH&l$d< (Secure Sockets Layer)#
S/MIME$s?<MCHrp7FAw5lkERa<kNp>*hSEf=r5]<H9k8`,J#
VMIMEWr2H#
T
TCP/IPAw)fWmH3k / $s?<MCH&WmH3k (Transmission Control Protocol/Internet Protocol)#
Tivoli PKIG#8?kZ@qN/T"97"*hShjC7r5]<H9k"}g Tivoli ;-ejF#<&=je
<7gs# 3Nh&JZ@qO-OJ$s?<MCH&"Wj1<7gsGHQ9k3H,G-"f<
6<N'Zd.QG-kL.NN]N?aNjJrs!9k#
75Tivoli PKI =.,$I
��
�
TPHi9H&]j7< (Trust Policy)#
trust A'<s (trust chain)f<6<Z@q+ik<H^?O+Jp>Z@q^GN.j5l?,X+i.kl"NZ@q#
U
UnicodeISO 10646 KhCFjA5l?"16 SCHN8z;CH# Unicode 8z3<I=,JO"psh}N
?aNq]*J8z3<IG"k# Unicode ,JO4$&NgWJ8zrq^7F*j"=UH&'"
Nq]=P~*hSOh=NpWrs!9k# Java Wm0i_s0D-N=<9&3<IO9YF
Unicode Gq+lk#
Uniform Resource Locator (URL)$s?<MCHeNj=<9r"Il9Xj9k?aN}0# URL OWmH3k"[9H>"*hS
IP "Il9rXj9k#^?"CjN^7s+ij=<9K"/;99k?aK,WJ]<HVf"Q
9"*hSj=<9N\Yb^`#
URLUniform Resource Locator#
UTF-8Q9A0N 1 D#3lrHQ9kH"8 P$H8z;CH7+7(J$psh}79F`,"psr:
o:K" 16 SCHN Unicode r=lKP~9k 8 SCH&G<?KQ97?j"=NUKQ97?j
9k3H,D=KJk#
V
VPN>[d_MCHo</ (Virtual Private Network)#
W
WebSphere™ Application ServerIBM =JN 1 DG"f<6<,QU)<^s9Nb$ Web 5$Hr+/*hSI}9kNrYg9
k# 3N=JrHQ9kH"1Jk Web eNpsNx+r"b!=J e-business Web "Wj1<7
gsXHFWK\TG-k# WebSphere Application Server O"Web 5<P<d=N*Zl<F#s
0&79F`KM87J$ Java Y<9N5<VlCH&(s8sG=.5lF$k#
Web 5<P< (Web server)Vi&6<&Wm0i`+iNpsq;NWaK~z9k5<P<&Wm0i`#V5<P< (server)W
b2H#
Web Vi&6< (Web browser)G9/HCW PC GT/9k/i$"sH&=UH&'"G"j"3lKhCFo<kI&o$I&&
'V (WWW) dm<+k HTML Z<8r\w9k3H,G-k#3lO" Web *hS$s?<MC
HGxQD=JDgJO$Q<aG#"psq;N8gK$&f+i"/;9G-kh&K9k?aN
!wD<kG"k#Vi&6<KhCF"F-9HH0iU#C/9r=(G-kbNH"F-9H@
1r=(G-kbN,"k#gt,NVi&6<O"FTP His6/7gsJI"gWJA0N$s?
<MCHL.rh}G-k#
76 P<8gs 3 jj<9 7.1
World Wide Web (WWW)\3NMCHo</,"O$Q<aG#"&j=<9r}D3sTe<?<VGN)5lk"$s?<
MCHNlt#3liNj=<9O"psrs!9kHHbK" WWW *hS$s?<MCHN>Nj
=<9XNjs/rs!9k3H,G-k# WWW j=<9O"Web Vi&6<&Wm0i`rp7
F"/;95lk#
X
X.5003sTe<?<&79F`Nj_\3KhCF?\*N,6&#=G#l/Hj<&5<S9rBu9
k?aN8`#q]E$L."g (ITU"J0Nq]E.ECpdQwq (CCITT)) H"q]8`=!=
/ q]E$&=X8`qD (ISO/IEC) ,(/7FjArTC?#
X.509 Z@q (X.509 certificate)$s?<MCHN]n5l?MCHo</rp7FG#8?kp>5l?Z@qNB4JI}H[[r
5]<H9k?aK_W5l?"-/u1~lilF$kZ@qN8`# X.509 Z@qO".QN"k
h0T,G#8?kp>7?x+0r[[9k?aNj3-rqg9kG<?=$rjA9k#
X.509 P<8gs 3 Z@q (X.509 Version 3 certificate)X.509v3 Z@qOG<?=$,H%5lF*j"Z@q=Aps"Z@q,[ps"Z@qhjC7p
s"]j7<ps"*hSG#8?kp>N]IH!w,D=G"k#
X.509v3 Wm;9O9YFNZ@qKD$F"?$`&9?sWU-N CRL rn.9k#Z@q,H
Q5lk?SK" X.509v3 N!=rHCF"Wj1<7gsOZ@qN-z-r!:G-k#5iK"
Wj1<7gsO"Z@q, CRL K"k+I&+=L9k3H,G-k# X.509v3 CRL OCjN-z
|VNV"=.G-k# ^?"Z@qr5zK9kD=-N"k>Nu7KpE$F=.9k3HbG
-k# ?H(P""k>Hw,`&7?lg"=N>HwNZ@qO CRL K^ailk#
77Tivoli PKI =.,$I
��
�
78 P<8gs 3 jj<9 7.1
��
|\l, tz, Qz, Cl8zNgK[s5lF$^
9#J*, y;H>y;O6;H1yK7olF$^
9#
N"TO"/;9D=-*W7gs 53
"/;9)fj9H 18
"/;9&lYk"0-NQ9 18
"s$s9H<k
5<P<&3s]<MsH"AIX Nlg 31
5<P<&3s]<MsH"NT Nlg 32
Ef=0"CA N 45
Ef=0"RA N 51
$s]<H"=.G<?N 12, 44
*V8'/H&/i9XN0-NIC 19
*Zl<F#s0&79F`"5]<H5lk 5
N+TO+O";CH"CW&<I 9
VH%aC;<8N=(W\?s 53
+9?^$:"P?Ia$sN 29
F:5<P<
b@ 35
]<HVf 44
[9H> 44
-<\<I)f 53
!)lYk"0-NQ9 18
&L>"DN N 23
vD"slapd.conf 27
q"DN N 23
/i$"sH&"Wj1<7gs
b@ 39
PKIX Wa 39
/i9"0-NIC 19
!:"=.N 25
=.
u7ps 53
jb<H&5<P< 12
o</9F<7gs 5
Tivoli PKI G<?Y<9 53
=."{8N Directory 16
=.G<?
$s]<H 12, 44
F:5<P<> 44
F:5<P<&]<H 44
/i$"sH'Z*W7gs 50
!: 25
x+ Web 5<P< 50
O0*W7gs 43
;-e" Web 5<P< 50
,Q 53
P?Ia$s 49
]I 52
^$0l<7gs 44
^Ha 52
Qf"*W7gsN-?Q 7
4758 3Wm;C5< 45, 51
CA DN 44
CA 0 45
CA 5<P<> 44
CA 5<P<&]<H 44
Directory I}T 48
Directory 5<P<> 46
Directory 5<P<&]<H 46
Directory k<H 47
RA 0 51
=.G<?N^$0l<7gs 44
=.G<?Qf 7
=.U!$k"T8 28
=.Wm;9 53
=.f<6< 9
=$*V8'/H&/i9 19
N5TO5<P<
"s$s9H<k"AIX +iN 31
"s$s9H<k"Windows NT +iN 32
F: 44
x+ 50
;-e" 50
CA 44
Directory 46
IBM HTTP 50
Tivoli PKI 43
F=."79F`N 30
79Tivoli PKI =.,$I
��
79F`Wo 5
BTMj"'ZWaN 25
B079F`N`w 26
O0*W7gs 43
}8"=.G<?N 6
V*;W\?s 53
Z@qI}WmH3k (CMP) 39
Z@q;s?< 25
Z@qhjC7j9H (CRL) 36
j_O"DN N 24
qA
b@ ix
Tivoli ;-ejF#<=J xi
9-<^jA 19
9^<H&+<I 39
=JN5W 1
;CH"CW&<I
"/;9D=-*W7gs 53
$s9H<kLV 27
+O 9, 43
-<\<I)f 53
=.Wm;9 53
*; 43
`w"BTN 5
XkW 9, 10
]n 27
Web Vi&6<N;CH"CW 5
0q-Nps ix
0-"!)lYkNQ9 18
0-"DN
gx 22
c 22
0-"PKI /i9XNIC 19
H%>"DN N 23
N?TOP]IT ix
G<?Y<9"GU)kH DB2 37
,Q"=.MN 53
P? 25
P?T"'D 28
P?TN'D 28
P?Ia$s
$s9H<k&G#l/Hj< 49
QlJ0 54
+9?^$: 29
@l 49
b@ 39
>0 49
IT ix
T;\)"DN N 24
NJTO>0Q9";CH"CW&<IN 27
~O"DN N 22
'ZWaNBTMj 25
NOTOQ9o<I
Q9 27
k<H DN 47
Directory I}T 48
Q9o<IQ9f<F#jF#< 27
PC/"CW"79F`N 28
/TQ_Z@qj9H (ICL) 36
VO"DN N 24
=-,' x
=(
=.u7 53
=.aC;<8 25, 53
t]>"DN N 24
Vi&6<Wo 5, 54
XkW";CH"CW&<IN 9, 10
T8"=.U!$kN 28
T8"DN N 23
]<H
/i$"sH'Z 50
x+ Web 5<P< 50
;-e" Web 5<P< 50
CA *hSF:5<P< 44
Directory 5<P< 46
]I"=.G<?N 52
]I"O<I&'"XN CA 0N 45
]I"O<I&'"XN RA 0N 51
]n";CH"CW&<IN 27
[9H>
x+ Web 5<P< 50
;-e" Web 5<P< 50
CA *hSF:5<P< 44
Directory 5<P< 46
Tivoli PKI 5<P< 43
\qKD$F ix
80 P<8gs 3 jj<9 7.1
N^TO^&9&"/7gsKP~9k`n 53
^7sNWo 5
^9-s0"F:$YsHN 35
aC;<8N=( 25, 53
NdTOQf"=.G<?N 7
Ws
HQ5lF$k=-,' x
NiTOi$Vij<"Tivoli PKI Web 5$H ix
jb<H=. 12
k<H DN
b@ 38
>0 47
Q9o<I 47
lYk"0-N!)-NQ9 18
m0&aC;<8 25
NoTOo</9F<7gsNWo 5
NtzO4758 3Wm;C5<
HQD=="CA Q 45
HQD=="RA Q 51
b@ 41
]I"-<N 41
]I"CA 0N 45
]I"RA 0N 51
RSA 05$: 45, 51
AACL NQ9 29
add_rauser f<F#jF#< 28
AuditArchiveAndSign D<k 35
AuditIntegrityCheck D<k 35
CCA 0
"k4j:` 45
5$: 45
]I"O<I&'"XN 41, 45
CA 5<P<
05$: 45
1L> 44
p>"k4j:` 45
b@ 36
]<HVf 44
[9H> 44
4758 3Wm;C5<&*W7gs 45
CfgSetupWizard.html U!$k 9
CfgStart Wm0i`
jb<H&^7se 12
AIX e 11
NT e 11
cfguser f<6<> 9
DDB2"b@ 37
Directory I}T
b@ 38
Q9o<I 48
DN 48
Directory 5<P<
j-"NvD 27
b@ 37
]<HVf 46
[9H> 46
k<H DN 47
Directory I}T 48
Directory 9-<^ 37, 38
Directory Dj< 38
Directory"{8NbNN=. 16
DN
QlJ0 54
,'"~O 22
&L> 23
q> 23
HQ"DN (G#?< 23
j_O 24
H%> 23
T;\) 24
'ZI 44
VO 24
t]> 24
c 22
81Tivoli PKI =.,$I
��
DN (3-)
Directory I}T 48
Directory 9-<^ 37, 38
Directory Dj< 38
Directory k<H 47
DN (G#?<
"$3s 44, 47, 48
LVps 24
lLps 23
-<\<I)f 53
A0?$W 24
HQ 23
b@ 23
0-gxs 24
H%ps 23
CA DN 44
Directory I}T DN 48
Directory k<H DN 47
DN N@p- 29
IIBM HTTP Server 40, 50
IniEditor Wm0i` 28
IP "Il9
x+ Web 5<P< 50
;-e" Web 5<P< 50
CA *hSF:5<P< 44
Directory 5<P< 46
Tivoli PKI 5<P< 43
LLDAP 8` 37
MMAC (aC;<8N'3<I)
F:h}GN 35
CA h}GN 36
PPKIX Z@q
b@ 39
RRA 0
5$: 51
]I"O<I&'"XN 41, 51
RA 5<P<
05$: 51
4758 3Wm;C5<&*W7gs 51
Readme U!$k 3
RSA 0 45, 51
Ssha-1WithRSAEncryption 45
slapd.conf U!$k 27
SSL
;-e" Web 5<P< 50
b@ 40
Tivoli PKI 40
Swing i$Vij< 5
swingall.jar N@&sm<I 9
swingall.jar U!$k 9
TTivoli
;-ejF#<I}KD$FN Web ps xi
Tivoli PKI
Web ps xi
Tivoli PKI Web 5$H 3
Tivoli PKI =.f<6< 9
UURL
Z@q;s?< 25
;CH"CW&<I 9
P?Ia$s 39
Readme U!$k 3
Tivoli PKI 3
Tivoli PKI [<`&Z<8 ix
Tivoli PKI i$Vij<&Z<8 ix
WWeb 5<P<
x+5<P<> 50
82 P<8gs 3 jj<9 7.1
Web 5<P< (3-)
x+5<P<&]<H 50
;-e"&5<P<N>0 50
;-e"&5<P<N]<H 50
Tivoli PKI 40
Web 5$H
;-ejF#<I}Nps xi
Tivoli Public Key Infrastructure xi
Web 5$H"Tivoli PKI 3
83Tivoli PKI =.,$I
��
84 P<8gs 3 jj<9 7.1
Printed in Japan
SH88-8501-01
