Configure Entrust CA with Authorization Code

Anthony - Versasec Support
Anthony - Versasec Support
  • Updated

Introduction

This article will describe the steps for configuring the use of authorization codes when issuing certificates using an Entrust CA. An Entrust CA uses authorization codes and reference numbers which are used as an authentication code before allowing an operator to issue a smart card certificate for a user. 

Note
The smart card type that will be managed in this use case will be a generic mini-driver smart card token.

Step 1 - Configure an Entrust CA Connection

1. To add a CA connection from Options - Connections click the Configure button and make sure that Certificate Authorities is in the Selected window.

2. From Options - Connections click Certificate Authorities and click Add to open the dialog where the CA specific connection details are configured.

3. Enter a template name and select Entrust from the drop-down list. Click the Configure button for Java.

4. Select the version of installed Java Runtime Environment (JRE) which needs to be available on the server where the vSEC:CMS is running. Also enter any standard JVM parameters that may need to be set depending on your environment and recommendations from Entrust. Click Ok to close.

Important
It is required that a 32-bit version of JRE is installed on the server as the vSEC:CMSis a 32-bit application.

5. Click the Configure button for Client Toolkit dialog.

6. Enter the server address and port that the Entrust CA is running on. Click the Test button to ensure connectivity to the CA. Select Do not login if it is not required to use profile based credentials to authenticate to the CA otherwise select Use profile based credentials if a profile file is to be used. Browse to the location where the client toolkit epf file that will be used is stored and enter the epf passcode. Click the Test button to ensure that the profile credential selected is valid. If a certificate stored on the operator smart card is to be used select the Use certificate based credentials radio button. Select the certificate from the drop-down list. The Stored on Operator Token should be displayed in the dialog. Click the Test button to ensure that the profile credential selected is valid.

Note
The certificate credential used on the operator card will need to be present on the card when using this option. The vSEC:CMS does not provide a mechanism to import such certificates onto the operator card.

7. Click OK to save and close the Client Toolkit configuration dialog.

8. Click the Configure button for Admin Toolkit.

9. Enter the server address and port that the Entrust CA is running on. Click the Test button to ensure connectivity to the CA. Select Do not login if it is not required to use profile based credentials to authenticate to the CA otherwise select Use profile based credentials if a profile file is to be used. Browse to the location where the admin toolkit epf file that will be used is stored and enter the epf passcode. Click the Test button to ensure that the profile credentials selected are valid. If a certificate stored on the operator smart card is to be used select the Use certificate based credentials radio button. Select the certificate from the drop-down list. The Stored on Operator Token should be displayed in the dialog. Click the Test button to ensure that the profile credential selected is valid.

Note
The certificate credential used on the operator card will need to be present on the card when using this option. The vSEC:CMS does not provide a mechanism to import such certificates onto the operator card.

10. Click OK to save and close.

11. Enable the Add user to CA check box and click the Configure button to open the dialog if the user that the smart card is to be issued to is to be added to the Entrust CA.

Important
The user will need to exist already in the user directory (typically Active Directory).

12. From the User type drop-down list select the user type that the user will be added to. The available types are read from the types that are configured on the Entrust CA.

13. From Certificate type select the type that will be set for the user. The available certificate types are read from the types that are configured on the Entrust CA.

14. Select which group that the user will be assigned to. The available groups are read from the groups that are configured on the Entrust CA.

15. Enable the Import from PKCS12 files if it will be required to import PKCS12 file(s) during the issuance process. Click the Configure button to configure specific settings for the PKCS12 file(s) that are to be imported. Click the Get button for the Certificate Authority Issuer DN to determine the DN of the issuing CA. A PKCS12 file that is to be imported can be selected to allow the vSEC:CMS to determine the issuing DN from the PKCS12 file. Click the Get button for Default folder to browse for PKCS12 files to set the default location where the vSEC:CMS will select the PKCS12 files from. Enter a default passphrase if the PKCS12 files that are to be imported are configured to be automatically selected from a certificate database certificate list file which has the same passphrase for each PKCS12 file in the database. Click Ok to save and close.

16. Click the Templates button and click the Update button to retrieve all available certificate templates that are available. See Entrust Certificate Templates section below for further details on this. Click OK to close.

17. Select the Use key archival at CA if it is required to use the Entrust key archival feature.

Step 2 - Configure Connection to LDAP

1. To add a LDAP connection from Options - Connections click the Configure button and make sure that LDAP Server is in the Selected window.

2. Then from Options - Connections click LDAP Server to add template.

3. Users who smart cards will be issued to and whose user credentials reside in an LDAP server can be configured from here. Enter a template name and enter the hostname for the LDAP along with the port, protocol and enable SSL/TLS if a secure connection is required. Click the Test Connection button to ensure that the system that the vSEC:CMS is running on can connect to the LDAP server. If simple authentication parameters are required enable this option and provide the necessary username and password to connect to the LDAP. Click Save button when complete.

Step 3 - Create a Card Template

1. Navigate to Options - Smart Cards page. When the page is loaded attach the smart card token that is to be issued with the vSEC:CMS. The vSEC:CMS will filter the card type and present the smart card template available in the vSEC:CMS.

2. Select the entry and click Edit. For Smart Card Access ensure that Use minidriver if possible is selected and click Save.

3. From Templates - Card Templates click the Add button.

4. Click the Edit link for General.

5. Enter a template name and attach the smart card token that is to be issued and click the Detect button to allow the vSEC:CMS to detect the smart card token type that is to be used for this card template. Click Ok to close the dialog.

6. Allow all other default settings in the General dialog and click Ok to save the settings and close this dialog.

7. Click the Edit link for Issue Card.

8. Under the User ID Options enable the Assign user ID check box and click the Manage button.

9. Click the Add button.

10. Enter a template name and for Type select Entrust (Entrust authorization code).

11. From the Entrust CA drop-down list select the Entrust CA configured earlier. From the User directory drop-down list select the LDAP connector already configured above.

12. Click the Add button to configure the base DN filter that is to be used. This will open a dialog. Enter a name for the filter in Name field and either click the Get button to allow the vSEC:CMS to retrieve the base DNs available or it is possible to manually type and/or edit a base DN in the BaseDNs field. For example, if a base DN of 'DC=vsec,DC=local' was automatically retrieved when clicking the Get button then this would be shown in the drop-down list. If it is required to only allow an LDAP search to be made on a sub tree, for example sub tree 'OU=Smart Card Users', then you could manually enter this into the BaseDNs field as 'OU=Smart Card Users,DC=vsec,DC=local'. In the Filter field, it is possible to construct LDAP query filters. A filter specifies the conditions that must be met for a record to be included in the recordset (or collection) that results from a query.

The Variables section in this dialog can be used to build configurable search filters that can be entered into the field provided. This can only be used if you have multiple LDAPs where you need to search from one LDAP and use the result from this LDAP to search for values in a secondary LDAP. This is for very specific use case and would not normally be used.

If there is an authorization code available to test with click the first Get ID button. Enter reference number and authorization code and click the Get button. It will be possible to automatically paste the authorization and reference numbers into the dialog. For example, if the authorization number and reference number are as follows:

AUTH_CODE = 8IYO-6RA3-LHA4

REF_NUM = 12096747

It will be possible to copy these values into the system clipboard and click the Paste button to automatically add these values to the fields required.

Click the Get button to retrieve the user associated with this reference and authorization code.

For User detail(s) it is possible to enter a mapping from the attribute name to a friendly name that can be used to retrieve additional attribute details on the selected user. This additional information will then be displayed in dialogs where information about the issued card is shown. For example, if the attribute "cn" was to be translated into a friendlier name of "User Name" then enter cn=User Name. Click the Test button to test the mapping. You will need to select a user first by clicking the second Get ID button.

Click the Edit button in the Variable(s) section to present a edit dialog.

In this example, the variable name ${UserEmail} is mapped with the directory attribute name mail. In the directory, the attribute name mail will contain the user's actual email address, if this attribute is set. Click Ok to save the association. Then from the ID Assign dialog it is possible to test this with an actual user. Click the second Get ID button to search AD for a user. Select a user and click the Edit button in the Variable(s) section. Click the Test button. If the user has an email entry in the AD attribute then this information will be shown.

13. Click Save to save the configuration and go back to the Issue Card dialog.

14. Select this newly created template from the User ID Options drop-down list.

15. From the Enroll Certificate Options section enable the Enroll certificate(s) check box and click the Add button. Select the Entrust CA from the Certificate authority drop-down list and select the certificate template to be used from the available list.

16. Click Ok to save the configuration and close out of the template.

Step 4 - Issue Smart Card

1. From the Lifecycle page attach a blank smart card and click the Issued oval.

2. Select the template configured earlier from the available list and click the Execute button.

3. During the issuance flow the operator will be prompted to enter the authorization code and reference code. It will be possible to automatically paste the authorization and reference numbers into the dialog. For example, if the authorization number and reference number are as follows:

AUTH_CODE = 8IYO-6RA3-LHA4

REF_NUM = 12096747

It will be possible to copy these values into the system clipboard and click the Paste button to automatically add these values to the fields required. Once entered the operator should click the Get button to allow the vSEC:CMS to retrieve the user DN that the certificate will be issued to.

4. The card and certificate will then be issued to this user to complete the flow.