Chapter 10. Step 7: Customizing User Data (Non-Console)

Chapter 10. Step 7: Customizing User Data (Non-Console)

Copy all customized plug-ins, profiles, and forms to the new Certificate System, and apply any hand-edited changes to the new Certificate System CS.cfg file.

For example, if the profile configuration in the old_CA_instance has been changed to enable S/MIME support, make the same changes to the new_CA_instance.

In the old Certificate System, S/MIME support is enabled by editing the caTokenUserEncryptionKeyEnrollment profile. Migrate these changes over to the new_CA_instance simply by duplicating the configuration.

  1. Log into the old server as the Certificate System user for that machine, and open the Certificate System profiles/ca/ directory.

  2. Copy the p1 policy set in the caTokenUserEncryptionKeyEnrollment.cfg file, as shown: 

    policyset.set1.p1.constraint.class_id=noConstraintImpl
policyset.set1.p1.constraint.name=No Constraint
policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl
policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault
policyset.set1.p1.default.params.dnpattern=UID=$request.uid$,
                                            OU=Engineering,O=Example
policyset.set1.p1.default.params.ldap.enable=true
policyset.set1.p1.default.params.ldap.searchName=uid
policyset.set1.p1.default.params.ldapStringAttributes=uid,mail
policyset.set1.p1.default.params.ldap.basedn=dc=example,dc=com
policyset.set1.p1.default.params.ldap.maxConns=4
policyset.set1.p1.default.params.ldap.minConns=1
policyset.set1.p1.default.params.ldap.ldapconn.Version=2
policyset.set1.p1.default.params.ldap.ldapconn.host=ldaphostA.example.com
policyset.set1.p1.default.params.ldap.ldapconn.port=389
policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false

    The above configuration would enable S/MIME support for services that use this profile for obtaining certificates, such as the token management systems.

  3. Log into the new server as the Certificate System user, and open the Certificate System profiles/ca/ directory.

  4. Manually change the configuration in the new_CA_instance to mimic the old_CA_instance configuration by editing the p1 policy set in the caTokenUserEncryptionKeyEnrollment.cfg file, as shown: 

    policyset.set1.p1.constraint.class_id=noConstraintImpl
policyset.set1.p1.constraint.name=No Constraint
policyset.set1.p1.default.class_id=nsTokenUserKeySubjectNameDefaultImpl
policyset.set1.p1.default.name=nsTokenUserKeySubjectNameDefault
policyset.set1.p1.default.params.dnpattern=UID=$request.uid$, OU=Engineering,
                                           O=Example
policyset.set1.p1.default.params.ldap.enable=true
policyset.set1.p1.default.params.ldap.searchName=uid
policyset.set1.p1.default.params.ldapStringAttributes=uid,mail
policyset.set1.p1.default.params.ldap.basedn=dc=example,dc=com
policyset.set1.p1.default.params.ldap.maxConns=4
policyset.set1.p1.default.params.ldap.minConns=1
policyset.set1.p1.default.params.ldap.ldapconn.Version=2
policyset.set1.p1.default.params.ldap.ldapconn.host=ldaphostA.example.com
policyset.set1.p1.default.params.ldap.ldapconn.port=389
policyset.set1.p1.default.params.ldap.ldapconn.secureConn=false

The altered profile is now able to serve certificate requests with S/MIME support enabled.