1.2. Agent Tasks

The designated agents for each subsystem are responsible for the everyday management of end entity requests and other aspects of the PKI:
  • Certificate Manager Agents manage certificate requests received by the Certificate Manager subsystem, maintain and revoke certificates as necessary, and maintain global information about certificates.
  • Registration Manager Agents process certificate requests; any approved requests are automatically forwarded to the configured CA to issue the certificate. RA agents can also revoke certificates which have been issued through the RA.
  • Data Recovery Manager Agents initiate the recovery of lost keys and can obtain information about key service requests and archived keys.

    NOTE

    Recovering lost or archived key information is done automatically in smart card deployments because the TPS server is a DRM agent. Smart cards are marked as lost in the TPS agent page, and then another smart card is later used to recover the old encryption keys automatically during certificate enrollment.
  • Online Certificate Status Manager Agents manage the configuration for verifying whether certificates are revoked, so these agents can both manage CRLs (by managing the publishing CAs and manually adding CRLs) and manage requests to check certificate status.
  • Token Processing System Agents can perform tasks related to managing certificates stored on tokens and smart cards, which includes viewing smart card enrollment and formatting activities; listing, editing, and deleting tokens from the token database; and managing lost tokens.
The privileged operations of an agent are performed through the Certificate System agent services pages. For a user to access these pages, the user must have a personal SSL client certificate and have been identified as a privileged user in the user database by the Certificate System administrator. For more information on creating privileged users, see the Certificate System Administrator's Guide.

1.2.1. Certificate Manager Agent Services

The default entry page for CA agent services is shown in Figure 1.2, “Certificate Manager Agent Services Page”. Only designated Certificate Manager agents, with a valid certificate installed in their client software, are authorized to access these pages.
Certificate Manager Agent Services Page

Figure 1.2. Certificate Manager Agent Services Page


A Certificate Manager agent performs the following tasks:
  • Handles certificate requests.
    An agent can list the certificate service requests received by the Certificate Manager subsystem, assign requests, reject or cancel requests, and approve requests for certificate enrollment. See Chapter 3, CA: Handling Certificate Requests.
  • Finds certificates.
    Certificates can be searched for individually or searched and listed by different criteria. The details for all returned certificates are then displayed. See Chapter 4, CA: Finding and Revoking Certificates.
  • Revokes certificates.
    If a user's key is compromised, the certificate must be revoked to ensure that the key is not misused. Certificates belonging to users who have left the organization may also need revoked. Certificate Manager agents can find and revoke a specific certificate or a set of certificates. Users can also request that their own certificates be revoked. See Section 4.4, “Revoking Certificates”.
  • Updates the CRL.
    The Certificate Manager maintains a public list of revoked certificates, called the Certificate Revocation List (CRL). The list is usually maintained automatically, but, when necessary, the Certificate Manager agent services page can be used to update the list manually. See Section 4.5.2, “Updating the CRL”.
  • Publishes certificates to a directory.
    The Certificate System can be configured to publish certificates and CRLs to an LDAP directory. This information is usually published automatically, but the Certificate Manager agent services page can be used to update the directory manually. See Section 5.2, “Manually Updating the Directory”.
  • Manages certificate profiles.
    The agent can enable and disable certificate profiles. A profile must be temporarily disabled before an administrator can make changes to the profile itself using the administrative interface. After the changes have been made, the agent can re-enable the profile for regular use. See Chapter 2, CA: Working with Certificate Profiles.

1.2.2. Registration Manager Agent Services

There are two user types who can access the RA services pages: agents and administrators. Each user requires a certificate to authenticate to the appropriate services page.
Registration Manager Agent Services Page

Figure 1.3. Registration Manager Agent Services Page


RA agents can perform four tasks:
  • Approve and reject certificate requests.
  • List, view, and add notes to certificate requests.
  • List and view issued certificates.
  • Revoke issued certificates.
RA agents cannot initiate tasks, in a sense. Their services page begins with listing requests and certificates because the agent's job is to respond to enrollment operations initiated by users.
RA administrators can only manage users and groups for the RA subsystem.

NOTE

The RA subsystem uses its HTML-based services pages for administrative functions as well as agent services, because it does not have a Java-based console to handle those administrative tasks. For the RA, those administrative tasks relate to managing users and groups.

1.2.3. Data Recovery Manager Agent Services

Only designated DRM agents, with a valid certificate installed in their browser, are authorized to access the agent services pages.
Data Recovery Manager Agent Services Page

Figure 1.4. Data Recovery Manager Agent Services Page


A DRM agent performs the following tasks:
  • Lists key recovery requests from end entities.
  • Lists or searches for archived keys.
  • Recovers private data-encryption keys.
  • Authorizes and approves key recovery requests.
    Key recovery requires the authorization of one or more recovery agents. The DRM administrator designates recovery agents. Typically, several recovery agents are required to approve key recovery requests in the DRM, so DRM administrators should designate more than one agent.
For more information on these tasks, see Chapter 7, DRM: Recovering Encrypted Data.

1.2.4. Online Certificate Status Manager Agent Services

The default entry page to the Online Certificate Status Manager agent services is shown in Figure 1.5, “Online Certificate Status Manager Agent Services Page”. Only designated Online Certificate Status Manager agents, with a valid certificate in their client software, are authorized to access these pages.
Online Certificate Status Manager Agent Services Page

Figure 1.5. Online Certificate Status Manager Agent Services Page


An Online Certificate Status Manager agent performs the following tasks:
  • Checks that CAs are currently configured to publish their CRLs to the Online Certificate Status Manager.
  • Identifies a Certificate Manager to the Online Certificate Status Manager.
  • Manually adds CRLs to the Online Certificate Status Manager.
  • Submits requests for the revocation status of a certificate to the Online Certificate Status Manager.

1.2.5. Token Processing System Agent Services

The TPS agent services page allows operations by two types of users, both agents and administrators. A third user type, operators, can view certificate and token information, but cannot edit or process token information.
The default entry page to the Token Processing System (TPS) agent services is shown in Figure 1.6, “TPS Agent Services Page”. Only designated TPS agents, with a valid certificate in their client software, are authorized to access these pages.
TPS Agent Services Page

Figure 1.6. TPS Agent Services Page


A TPS agent performs the following tasks:
  • Lists and searches enrolled tokens by user ID or token CUID.
  • Lists and searches certificates associated with enrolled tokens.
  • Searches token operations by CUID.
  • Edits token information.
  • Sets the token status.
The TPS agent services page also has a tab to allow operations by TPS administrators.
TPS Administrator Operations Tab

Figure 1.7. TPS Administrator Operations Tab


A TPS administrator performs the following tasks:
  • Lists and searches enrolled tokens by user ID or token CUID.
  • Edits token information, including the token owner's user ID.
  • Adds tokens.
  • Deletes tokens.
For more information about TPS agent and administrator tasks, see Chapter 9, TPS: Managing Token and Smart Card Operations.