Chat now with support
Chat with Support

Safeguard Authentication Services 5.1 - Administration Guide

Privileged Access Suite for Unix Introducing One Identity Safeguard Authentication Services Unix administration and configuration Identity management Migrating from NIS Managing access control Managing local file permissions Certificate Autoenrollment [[[Missing Linked File System.LinkedTitle]]] Managing Unix hosts with Group Policy
Safeguard Authentication Services Group Policy
Group Policy Concepts Unix policies One Identity policies
Display specifiers Troubleshooting Glossary

Certificate Autoenrollment on UNIX and Linux

Most of the Certificate Autoenrollment code is implemented in Java. After this code has successfully requested a certificate from a CA, it invokes platform-specific code to store the private key and certificate in a suitable way for the operating system or for particular applications. This platform-specific code is implemented as a shell script, certstore.sh, in the /var/opt/quest/vascert/script directory.

The certstore.sh script is a platform-agnostic front end that chooses and loads a platform-specific back end script:

  • For macOS, the back end script is certstore-mac.sh. This script provides a fully functional implementation that uses the /usr/bin/security tool to integrate with macOS keychains.
  • For UNIX/Linux, the back end script is certstore-DEV.sh. This script provides a skeletal implementation that is convenient for initial experimentation and may be used as the basis for implementation; the script itself does not provide a fully functional implementation:
    • Some of the shell functions in certstore-DEV.sh simply print "UNIMPLEMENTED" and return a non-zero exit status to indicate failure.
    • The following shell functions in certstore-DEV.sh are mock implementations designed to facilitate simple experimentation with the "vascert pulse" command for a user:
      • importIdentity()
      • exportUserCerts()
    • These mock implementations assume that the openssl command is installed and available on the default PATH.
    • The mock implementations also make some platform-specific assumptions (for example, they invoke the mv command with the --backup option), but these are not critical and can be removed.

    As a consequence, on UNIX/Linux some important Certificate Autoenrollment commands, such as "vascert pulse" for the superuser will NOT work until the necessary platform-specific functionality has been implemented in certstore-DEV.sh or a similar script.

See the Examples and further explanation for modifying certstore-DEV.sh on Linux and Unix (284711) KB article for more information on modifying certstore-DEV.sh and a simple example script.

Certificate Autoenrollment requirements and setup

Prior to installing One Identity Certificate Autoenrollment, ensure your system meets the following minimum hardware and software requirements.

Table 18: Certificate Autoenrollment: Minimum requirements
Component Requirements
Operating system

macOS 10.13 (or later)

Red Hat® Enterprise Linux® 6 (or later)

Oracle Solaris® 11 (or later)

SUSE® Linux Enterprise Server 11 (or later)

Ubuntu® 14.04 LTS (or later)

Java unlimited strength policy files For more information, see Java requirement: Unlimited Strength Jurisdiction Policy Files..
Authentication Services

One Identity Authentication Services version 4.1.2 (or later).

Additional software

Certificate Autoenrollment depends on services provided by a Microsoft Enterprise Certificate Authority (CA) in your environment.

In addition to Active Directory and an Enterprise CA, you must install the following software in your environment:

  • Microsoft Certificate Enrollment Web Services

In order for Certificate Autoenrollment to function on client computers, you must configure the following policies:

  • Certificate Services Client - Auto-Enrollment Group Policy

  • Certificate Services Client - Certificate Enrollment PolicyGroup Policy

  • Certificate Templates

Additionally, you must configure Java 1.6 (or later) as the default JVM for your system.

NOTE: Install JRE (Java Runtime Environment) on all platforms other than macOS; macOS requires JDK (Java Development Kit). Typing java on the command line provides instructions.

  • For Linux/UNIX operating systems, install JRE 1.6 (or later).

  • For Mac OS X (that is, your operating system tells you to get it from Apple), install what Apple provides (JRE).

  • For macOS (that is, your operating system tells you to get it from Oracle), install the JDK.

Rights

Enterprise Administrator rights to install software and configure Group Policy and Certificate Template policy (only if Certificate Autoenrollment is not already configured for Windows hosts in your environment.)

Java requirement: Unlimited Strength Jurisdiction Policy Files

By default, most JRE and JDK implementations enforce limits on cryptographic key strengths that satisfy US export regulations. These limits are often insufficient for Certificate Autoenrollment and may lead to "java.security.InvalidKeyException: Illegal key size" failures. The "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" can be installed to remove these limits and enable Certificate Autoenrollment to function properly.

Do I need the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files?

In general the answer is: Yes, these files are needed.

Java 9 and above do not require these files, but Java 6, 7, and 8 rely on these files.

Obtaining and installing the policy files

For Java implementations from IBM, the policy files are usually bundled with the JDK but not the JRE, so it may be more convenient to install the JDK rather than just the JRE. Once the JDK is installed its demo/jce/policy-files/unrestricted directory should contain two JAR files:

  • local_policy.jar
  • US_export_policy.jar

Use these files to replace the corresponding JAR files in the jre/lib/security directory of the JDK. Alternatively, the "Unrestricted SDK JCE policy files" can be downloaded from ibm.com.

For Java implementations from Sun, Oracle and Apple and for OpenJDK implementations, the policy files must be downloaded from Oracle. Each major Java version requires its own policy files:

Each of these downloads is a zip file that includes a README.txt and two JAR files, local_policy.jar and US_export_policy.jar. Use these JAR files to replace the corresponding files in the JRE or JDK:

  • JRE: The lib/security directory usually holds these files.
  • JDK: The jre/lib/security directory usually holds these files.

Installing certificate enrollment web services

The following procedures walk you through the installation and configuration of the required components. If Certificate Autoenrollment is already configured for Windows hosts in your environment, you can skip to Using Certificate Autoenrollment.

To perform these procedures, you need Enterprise Administrator rights to install software and configure Group Policy and Certificate Template policy.

Note: Microsoft has documented all of the steps to install and configure certificate enrollment Web services.

To set up certificate enrollment web services

  1. Review the requirements as specified by Microsoft at: http://technet.microsoft.com/en-us/library/dd759243.aspx.
  2. Follow the instructions at: http://technet.microsoft.com/en-us/library/dd759241.aspx to install the Certificate Enrollment Web Service.
  3. Follow the instructions at: http://technet.microsoft.com/en-us/library/dd759214.aspx to install the Certificate Enrollment Policy Web Service.
  4. Follow the instructions at: http://technet.microsoft.com/en-us/library/dd759140.aspx to configure server certificates for HTTPS.

Certificate enrollment Web services are now installed. Next, you will configure policy settings to enable Certificate Autoenrollment.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating