The designated agents for each subsystem are responsible for the everyday management of end-entity requests and other aspects of the PKI:
-
Certificate Manager agents manage certificate requests received by the Certificate Manager subsystem, maintain and revoke certificates as necessary, and maintain global information about certificates.
-
DRM agents initiate the recovery of lost keys and can obtain information about key service requests and archived keys.
NOTE
Recovering lost or archived key information is done automatically in smart card deployments because the TPS server is a DRM agent. Smart cards are marked as lost in the TPS agent page, and then another smart card is later used to recover the old encryption keys automatically during certificate enrollment.
-
Online Certificate Status Manager agents can perform tasks such as checking which CAs are currently configured to publish their CRLs to the Online Certificate Status Manager, identifying a Certificate Manager to the Online Certificate Status Manager, adding CRLs directly to the Online Certificate Status Manager, and viewing the status of OCSP service requests submitted by OCSP-compliant clients.
-
TPS agents can view smart card enrollment and formatting activities, list tokens from the token database, edit token information, delete tokens from the token database, and mark tokens as permanently lost, temporarily lost, or damaged.
-
There is no direct TKS agent interface for TKS agents to interact with the system. However, configured TKS agents are capable of providing the secure communications channel through the TPS server required for smart card operations through the token management system. The allowed smart card operations are similar to those for TPS agents.
The privileged operations of an agent are performed through the Certificate System agent services pages. For a user to access these pages, the user must have a personal SSL client certificate and have been identified as a privileged user in the user database by the Certificate System administrator. For more information on creating privileged users, see the Certificate System Administration Guide.
The default entry page for Certificate Manager agent services is shown in Figure 1.2, “Certificate Manager Agent Services Page”. Only designated Certificate Manager agents, with a valid certificate in their client software, are allowed to access these pages.
A Certificate Manager agent performs the following tasks:
-
Handling certificate requests.
An agent can list the certificate service requests received by the Certificate Manager subsystem, assign requests, reject or cancel requests, and approve requests for certificate enrollment. See Chapter 3, CA: Handling Certificate Requests.
-
Certificates can be searched individually or searched and listed by different criteria. The details for all returned certificates are then displayed. See Chapter 4, CA: Finding and Revoking Certificates.
-
If a user's key is compromised, the certificate must be revoked to ensure that the key is not misused. Certificates belonging to users who have left the organization may also need revoked. Certificate Manager agents can find and revoke a specific certificate or a set of certificates. Users can also request that their own certificates be revoked. See Section 4.4, “Revoking Certificates”.
-
The Certificate Manager maintains a public list of revoked certificates, called the certificate revocation list (CRL). The list is usually maintained automatically, but, when necessary, the Certificate Manager agent services page can be used to update the list manually. See Section 4.5.2, “Updating the CRL”.
-
Publishing certificates to a directory.
The Certificate System can be configured to publish certificates and and CRLs to an LDAP directory. This information is usually published automatically, but the Certificate Manager agent services page can be used to update the directory manually. See Section 5.2, “Manual Directory Updates”.
-
Managing certificate profiles.
The agent can enable and disable certificate profiles. A profile must be temporarily disabled for an administrator can make changes to the profile itself through the administrative interface. Once the changes have been made, the agent can re-enable the profile for regular use. See Chapter 2, CA: Working with Certificate Profiles.
The default entry page to the DRM agent services is shown in Figure 1.3, “Data Recovery Manager Agent Services Page”. Only designated DRM agents, with a valid certificate in their client software, are allowed to access these pages.
A DRM agent performs the following tasks:
-
Authorizing and approving key recovery requests.
Key recovery requires the authorization of one or more recovery agents. The DRM administrator designates recovery agents. Typically, several recovery agents are required to approve key recovery requests in the DRM, so DRM administrators should designate more than one agent.
For more information on these tasks, see Chapter 6, DRM: Recovering Encrypted Data.
The default entry page to the Online Certificate Status Manager agent services is shown in Figure 1.4, “Online Certificate Status Manager Agent Services Page”. Only designated Online Certificate Status Manager agents, with a valid certificate in their client software, are allowed to access these pages.
An Online Certificate Status Manager agent performs the following tasks:
-
Checking CAs are currently configured to publish their CRLs to the Online Certificate Status Manager.
-
Identifying a Certificate Manager to the Online Certificate Status Manager.
-
Adding CRLs manually to the Online Certificate Status Manager.
-
Submitting requests for the revocation status of a certificate to the Online Certificate Status Manager.
For more information on these tasks, see Chapter 7, OCSP: Agent Services.
The TPS agent services page allows operations by two types of users, both agents and administrators.
The default entry page to the TPS agent services is shown in Figure 1.5, “TPS Agent Services Page”. Only designated TPS agents, with a valid certificate in their client software, are allowed to access these pages.
A TPS agent performs the following tasks:
-
Listing and searching enrolled tokens by user ID or token CUID.
-
Listing and searching certificates associated with enrolled tokens.
-
Searching token operations by CUID.
-
Editing token information.
-
Setting the token status.
The TPS agent services page also has a tab to allow operations from TPS administrators.
A TPS administrator can perform the following tasks:
-
Listing and searching enrolled tokens by user ID or token CUID.
-
Editing token information, including the token owner's user ID.
-
Adding tokens.
-
Deleting tokens.
For more information about TPS agent and administrator tasks, see Chapter 8, TPS: Agent Services.