6.3. Token Policies
This section provides a list of token policies that can be applied on a per token basis using the TPS UI. Ech section will show how each policy is reflected in the configuration.
See the Token Policies section of the Red Hat Certificate System 9 Planning, Installation and Deployment Guide for general information.
The policy is a collection of policies each separated by a semicolon ("
;""). Each policy can be turned on or off with the keywords
NO. Each policy in the list below will be introduced with its default value - the action taken by TPS if the setting did not exist at all in the policy string.
- This policy controls whether or not a token allows a reenroll operation. This allows an already enrolled token (with certificates) to be reenrolled and given new ones. If set to
NO, the server will return an error if a reenrollment is attempted.This policy does not require special configuration. The enrollment will proceed with the standard enrollment profile, which likely enrolled the token originally.
- Renewal allows a token to have their profile generated certificates to be renewed in place on the token. If
RENEWis set to
YES, a simple enrollment from the Enterprise Security Client (ESC) will result in a renewal instead of a reenrollment as discussed above.The
RENEW_KEEP_OLD_ENC_CERTSsetting determines if a renewal operation will retain the previous version of the encryption certificate. Retaining the previous certificate allows users to access data encrypted with the old certificate. Setting this option to
NOwill mean that anything encrypted with the old certificate will no longer be recoverable.Configuration:
op.enroll.userKey.renewal.encryption.ca.conn=ca1 op.enroll.userKey.renewal.encryption.ca.profileId=caTokenUserEncryptionKeyRenewal op.enroll.userKey.renewal.encryption.certAttrId=c2 op.enroll.userKey.renewal.encryption.certId=C2 op.enroll.userKey.renewal.encryption.enable=true op.enroll.userKey.renewal.encryption.gracePeriod.after=30 op.enroll.userKey.renewal.encryption.gracePeriod.before=30 op.enroll.userKey.renewal.encryption.gracePeriod.enable=false op.enroll.userKey.renewal.keyType.num=2 op.enroll.userKey.renewal.keyType.value.0=signing op.enroll.userKey.renewal.keyType.value.1=encryption op.enroll.userKey.renewal.signing.ca.conn=ca1 op.enroll.userKey.renewal.signing.ca.profileId=caTokenUserSigningKeyRenewal op.enroll.userKey.renewal.signing.certAttrId=c1 op.enroll.userKey.renewal.signing.certId=C1 op.enroll.userKey.renewal.signing.enable=true op.enroll.userKey.renewal.signing.gracePeriod.after=30 op.enroll.userKey.renewal.signing.gracePeriod.before=30 op.enroll.userKey.renewal.signing.gracePeriod.enable=falseThis type of renewal configuration mirrors the basic
userKeystandard enrollment profile with a few added settings that are renewal specific. This parity is needed because we went to renew exactly the number and type of certs that were enrolled originally on to the token before renewal is to be put into play.
- This policy causes every enrollment operation to prompt a format operation if enabled. This is a last-step option to allow tokens to be reset without a user having to return it to an administrator. If set to
YES, every enrollment operation initiated by the user will cause a format to happen, esentially resetting the token to the formatted state.No additional configuration is necessary. A simple format occurs given the same TPS profile used to perform a standard format operation.
- This policy determines if an already enrolled token can perform an explicit “pin reset” change using the ESC. This value must be set to
YESor the attempted operation will be rejected with an error by the server.Configuration:
op.enroll.userKey.pinReset.enable=true op.enroll.userKey.pinReset.pin.maxLen=10 op.enroll.userKey.pinReset.pin.maxRetries=127 op.enroll.userKey.pinReset.pin.minLen=4In the above example, the settings for
maxLenput constraints on the length of a chosen password, and the
maxRetriessetting sets the token to only allow a given number of retries before locking up.
TPS policies can be edited easily using the latest TPS user interface. Navigate to the token that needs a policy change and click Edit. This will bring up a dialog that will allow you to edit the field, which is a collection of semi colon separated policies strung together. Each supported policy must be set to
<POLICYNAME>=NO in order to be recognized by TPS.