6.3. Token Policies

This section provides a list of token policies that can be applied on a per token basis using the TPS UI. Ech section will show how each policy is reflected in the configuration.

Note

See the Token Policies section of the Red Hat Certificate System 9 Planning, Installation and Deployment Guide for general information.
The policy is a collection of policies each separated by a semicolon (";""). Each policy can be turned on or off with the keywords YES or NO. Each policy in the list below will be introduced with its default value - the action taken by TPS if the setting did not exist at all in the policy string.
RE_ENROLL=YES
This policy controls whether or not a token allows a reenroll operation. This allows an already enrolled token (with certificates) to be reenrolled and given new ones. If set to NO, the server will return an error if a reenrollment is attempted.
This policy does not require special configuration. The enrollment will proceed with the standard enrollment profile, which likely enrolled the token originally.
RENEW=NO;RENEW_KEEP_OLD_ENC_CERTS=YES
Renewal allows a token to have their profile generated certificates to be renewed in place on the token. If RENEW is set to YES, a simple enrollment from the Enterprise Security Client (ESC) will result in a renewal instead of a reenrollment as discussed above.
The RENEW_KEEP_OLD_ENC_CERTS setting determines if a renewal operation will retain the previous version of the encryption certificate. Retaining the previous certificate allows users to access data encrypted with the old certificate. Setting this option to NO will mean that anything encrypted with the old certificate will no longer be recoverable.
Configuration:
op.enroll.userKey.renewal.encryption.ca.conn=ca1
op.enroll.userKey.renewal.encryption.ca.profileId=caTokenUserEncryptionKeyRenewal
op.enroll.userKey.renewal.encryption.certAttrId=c2
op.enroll.userKey.renewal.encryption.certId=C2
op.enroll.userKey.renewal.encryption.enable=true
op.enroll.userKey.renewal.encryption.gracePeriod.after=30
op.enroll.userKey.renewal.encryption.gracePeriod.before=30
op.enroll.userKey.renewal.encryption.gracePeriod.enable=false
op.enroll.userKey.renewal.keyType.num=2
op.enroll.userKey.renewal.keyType.value.0=signing
op.enroll.userKey.renewal.keyType.value.1=encryption
op.enroll.userKey.renewal.signing.ca.conn=ca1
op.enroll.userKey.renewal.signing.ca.profileId=caTokenUserSigningKeyRenewal
op.enroll.userKey.renewal.signing.certAttrId=c1
op.enroll.userKey.renewal.signing.certId=C1
op.enroll.userKey.renewal.signing.enable=true
op.enroll.userKey.renewal.signing.gracePeriod.after=30
op.enroll.userKey.renewal.signing.gracePeriod.before=30
op.enroll.userKey.renewal.signing.gracePeriod.enable=false
This type of renewal configuration mirrors the basic userKey standard enrollment profile with a few added settings that are renewal specific. This parity is needed because we went to renew exactly the number and type of certs that were enrolled originally on to the token before renewal is to be put into play.
FORCE_FORMAT=NO
This policy causes every enrollment operation to prompt a format operation if enabled. This is a last-step option to allow tokens to be reset without a user having to return it to an administrator. If set to YES, every enrollment operation initiated by the user will cause a format to happen, esentially resetting the token to the formatted state.
No additional configuration is necessary. A simple format occurs given the same TPS profile used to perform a standard format operation.
PIN_RESET=NO
This policy determines if an already enrolled token can perform an explicit “pin reset” change using the ESC. This value must be set to YES or the attempted operation will be rejected with an error by the server.
Configuration:
op.enroll.userKey.pinReset.enable=true
op.enroll.userKey.pinReset.pin.maxLen=10
op.enroll.userKey.pinReset.pin.maxRetries=127
op.enroll.userKey.pinReset.pin.minLen=4
In the above example, the settings for minLen and maxLen put constraints on the length of a chosen password, and the maxRetries setting sets the token to only allow a given number of retries before locking up.
TPS policies can be edited easily using the latest TPS user interface. Navigate to the token that needs a policy change and click Edit. This will bring up a dialog that will allow you to edit the field, which is a collection of semi colon separated policies strung together. Each supported policy must be set to <POLICYNAME>=YES or <POLICYNAME>=NO in order to be recognized by TPS.