2.2. Agent Tasks

2.2. Agent Tasks

The designated agents for each subsystem are responsible for the everyday management of end entity requests and other aspects of the PKI:

Certificate Manager Agent

Certificate Manager (CM) agents manage certificate requests received by the CM subsystem, maintain and revoke certificates as necessary, and maintain global information about certificates.

Data Recovery Manager Agent

Data Recovery Manager (DRM) agents initiate the recovery of lost keys and can obtain information about key service requests and archived keys.

Note

Recovering lost or archived key information is done automatically in smart card deployments because the TPS server is a DRM agent. Smart cards are marked as lost in the TPS agent page, and then another smart card is later used to recover the old encryption keys automatically during certificate enrollment.

Online Certificate Status Manager Agent

Online Certificate Status Manager (OCSM) agents can perform tasks such as:

  • Checking which CAs are currently configured to publish their CRLs to the OCSM.

  • Identifying a CM to the OCSM.

  • Adding CRLs directly to the OCSM.

  • Viewing the status of OCSP service requests submitted by OCSP-compliant clients.

Token Processing System Agent

Token Processing System (TPS) agents can perform tasks such as:

  • Viewing smart card enrollment and formatting activities.

  • Listing tokens in the token database.

  • Editing token information.

  • Deleting tokens from the token database

  • Marking tokens as permanently lost, temporarily lost, or damaged.

Token Key Service Agent

There is no direct interface for Token Key Service (TKS) agents to interact with the system. However, TKS agents can provide the secure communications channel through the TPS server required for smart card operations through the token management system. The allowed smart card operations are similar to those for TPS agents.

The privileged operations of an agent are performed through the Certificate System agent services pages. For a user to access these pages, the user must have a personal SSL client certificate and have been identified as a privileged user in the user database by the Certificate System administrator. For more information on creating privileged users, see the Certificate System Administrator's Guide.

2.2.1. Certificate Manager Agent Services

The default entry page for (CM) agent services is shown in Figure 2.2, “Certificate Manager Agent Services Page”. Only designated CM agents, with a valid certificate installed in their client software, are authorized to access these pages.

Certificate Manager Agent Services Page
Figure 2.2. Certificate Manager Agent Services Page

A CM agent performs the following tasks:

  • Handles certificate requests.

    An agent can list the certificate service requests received by the CM subsystem, assign requests, reject or cancel requests, and approve requests for certificate enrollment. See Chapter 4, CA: Handling Certificate Requests.

  • Finds certificates.

    Certificates can be searched for individually or searched and listed by different criteria. The details for all returned certificates are then displayed. See Chapter 5, CA: Finding and Revoking Certificates.

  • Revokes certificates.

    If a user's key is compromised, the certificate must be revoked to ensure that the key is not misused. Certificates belonging to users who have left the organization may also need revoked. CM agents can find and revoke a specific certificate or a set of certificates. Users can also request that their own certificates be revoked. See Section 5.4, “Revoking Certificates”.

  • Updates the CRL.

    The CM maintains a public list of revoked certificates, called the Certificate Revocation List (CRL). The list is usually maintained automatically, but, when necessary, the CM agent services page can be used to update the list manually. See Section 5.5.2, “Updating the CRL”.

  • Publishes certificates to a directory.

    The Certificate System can be configured to publish certificates and CRLs to an LDAP directory. This information is usually published automatically, but the CM agent services page can be used to update the directory manually. See Section 6.2, “Manual Directory Updates”.

  • Manages certificate profiles.

    The agent can enable and disable certificate profiles. A profile must be temporarily disabled before an administrator can make changes to the profile itself using the administrative interface. After the changes have been made, the agent can re-enable the profile for regular use. See Chapter 3, CA: Working with Certificate Profiles.

2.2.2. Data Recovery Manager Agent Services

The default entry page to the Data Recovery Manager (DRM) agent services is shown in Figure 2.3, “Data Recovery Manager Agent Services Page”. Only designated DRM agents, with a valid certificate in their client software, are authorized to access these pages.

Data Recovery Manager Agent Services Page
Figure 2.3. Data Recovery Manager Agent Services Page

A DRM agent performs the following tasks:

  • Lists key recovery requests from end entities.

  • Lists or searches for archived keys.

  • Recovers private data-encryption keys.

  • Authorizes and approves key recovery requests.

    Key recovery requires the authorization of one or more recovery agents. The DRM administrator designates recovery agents. Typically, several recovery agents are required to approve key recovery requests in the DRM, so DRM administrators should designate more than one agent.

For more information on these tasks, see Chapter 7, DRM: Recovering Encrypted Data.

2.2.3. Online Certificate Status Manager Agent Services

The default entry page to the Online Certificate Status Manager (OCSM) agent services is shown in Figure 2.4, “Online Certificate Status Manager Agent Services Page”. Only designated OCSM agents, with a valid certificate in their client software, are authorized to access these pages.

Online Certificate Status Manager Agent Services Page
Figure 2.4. Online Certificate Status Manager Agent Services Page

An OCSM agent performs the following tasks:

  • Checks that CAs are currently configured to publish their CRLs to the OCSM.

  • Identifies a CM to the OCSM.

  • Manually adds CRLs to the OCSM.

  • Submits requests for the revocation status of a certificate to the OCSM.

For more information on these tasks, see Chapter 8, OCSP: Agent Services.

2.2.4. Token Processing System Agent Services

The TPS agent services page allows operations by two types of users, both agents and administrators.

The default entry page to the Token Processing System (TPS) agent services is shown in Figure 2.5, “TPS Agent Services Page”. Only designated TPS agents, with a valid certificate in their client software, are authorized to access these pages.

TPS Agent Services Page
Figure 2.5. TPS Agent Services Page

A TPS agent performs the following tasks:

  • Lists and searches enrolled tokens by user ID or token CUID.

  • Lists and searches certificates associated with enrolled tokens.

  • Searches token operations by CUID.

  • Edits token information.

  • Sets the token status.

The TPS agent services page also has a tab to allow operations by TPS administrators.

TPS Administrator Operations Tab
Figure 2.6. TPS Administrator Operations Tab

A TPS administrator performs the following tasks:

  • Lists and searches enrolled tokens by user ID or token CUID.

  • Edits token information, including the token owner's user ID.

  • Adds tokens.

  • Deletes tokens.

For more information about TPS agent and administrator tasks, see Chapter 9, TPS: Agent Services.