9.4. Performing Administrator Tasks

An administrator maintains the server configuration in the internal database and the token database.
  • Adding and deleting tokens manually in the token database
  • Creating and editing users for the TPS subsystem
  • Managing audit logging for the TPS instance
  • Running and configuring self-tests
  • Editing and creating TPS profiles and profile mappings
  • Setting up LDAP authentication sources
  • Adding subsystem connections
  • Setting general server configuration, including secure channels and search parameters
An administrator can also perform common tasks, like viewing tokens and activity logs.

IMPORTANT

A user can only see entries relating to the profile configured for it. This means that all results are filtered by the profiles that the user can view, including listing and searching for certificates, tokens, or activities. For an administrator to be able to manage all tokens, then the user account needs to be set to All profiles.
Setting profiles for users is described in Section 9.4.2.3, “Setting Profiles for Users”.
Administrator Tasks

Figure 9.14. Administrator Tasks


9.4.1. Managing Tokens

Administrators cannot manage token information the way that agents can, but they can manually create or delete token entries from the token database, the repository which the TPS uses to identify and manage tokens.

9.4.1.1. Adding Tokens

New tokens are added to the TPS subsystem through the Add tokens link in the Admin Operations tab. The only required information is the token ID, which is embedded in the token. Additional information about the token can be added through the agent edit page.
Normally, it is not necessary to create a token entry because the entry is created automatically when the token connects to TPS, such as connecting through the Enterprise Security Client. However, it may be necessary to pre-populate the tokens with keys or other custom information; this can be done by manually adding and editing the token in the TPS.

9.4.1.2. Searching Tokens

To look for all tokens, a subset of tokens, or a specific token, click the List/Search Tokens link, and fill in the name of the user or the whole or partial token identification number (CUID). Asterisks (*) can be used in the search fields as wildcards.

NOTE

A user can only see entries relating to the profile configured for it, including both token operations and tokens themselves. For an administrator to be able to search and manage all tokens configured in the TPS, the administrator user entry should be set to All profiles.
Setting profiles for users is described in Section 9.4.2.3, “Setting Profiles for Users”.
Searching for Tokens

Figure 9.15. Searching for Tokens


There is a maximum allowed number of search results configured for the TPS Directory Server database, so the number of entries returned is constrained by the search limit. Each results page shows 25 records.

9.4.1.3. Viewing Tokens

After searching for tokens, click the link of the token ID to view the token information.
The token information shows the current definition and state of the token:
  • Token, the token ID number entered in the TPS.
  • User ID, user of the token.
  • Status and Reason, the current state of the token.
    • uninitialized means the token has not been processed
    • initialized means that the smart card is formatted, but does not have any certificates enrolled on it
    • enrolled means that certificates have been installed on it
    • lost or onHold means it has been suspended, and any suspended or revoked token also has an attribute to show the reason why the token status was changed
  • Policy, which sets the user policies for the token, such as whether the token can be reused.
  • Token Type, which is the enrollment profile which is used to enroll the token.
The system information shows information about the token that is processed by the TPS:
  • Key Info, the types of keys and bit strength generated for the token
  • Applet ID, the applet loaded on the token
  • Creation Date and Modification Date, which shows the days that the token was first entered in the TPS and the most recent change to the token
Additionally, there are two other sets of information that can be viewed for the token.
  • Clicking the Show Certificates button lists the certificates which are stored on the token.
  • Clicking the Show Activities button lists the operations which have been performed on the token.

9.4.1.4. Deleting the Token

  1. Search for the token, and click its ID link.
  2. Click Delete in the lower right of the edit page to remove the token, and all its associated certificates and user information, from the TPS database.

9.4.2. Managing TPS Users

For the TPS subsystem, users are added and managed through the Administrator Operations page, which replaces an administrative console for that subsystem.
As with other subsystems, the TPS administrator can create other users who access the TPS subsystem. These users are created through the administrator services tab.

9.4.2.1. Searching Users

Search for all users, a subset of users, or specific users by their subsystem user ID, first name, or last name through the Search Users link in the Administrator Operations page.

9.4.2.2. Adding Users

  1. Obtain a user certificate for the new user. Requesting and submitting certificates is explained in the End User's Guide.

    IMPORTANT

    A TPS administrator must have a signing certificate. The recommended profile to use is Manual User Signing and Encryption Certificates Enrollment.
  2. Click the Add New User link in the Administrator Operations tab.
  3. Fill in the user's name and ID and paste in the certificate, without the BEGIN CERTIFICATE and END CERTIFICATE lines.
  4. Select the roles to which the user belongs. The user can only see the tabs (services pages) of the roles to which he belongs.

9.4.2.3. Setting Profiles for Users

A TPS profile is much like a CA profile; it defines rules for processing different types of tokens. The profile is assigned automatically to a token based on some characteristic of the token, like the CUID. Users can only see tokens for the profiles which are assigned to them.

NOTE

A user can only see entries relating to the profile configured for it, including both token operations and tokens themselves. For an administrator to be able to search and manage all tokens configured in the TPS, the administrator user entry should be set to All profiles. Setting specific profiles for users is a simple way to control access for operators and agents to specific users or token types.
Token profiles are sets of policies and configurations that are applied to a token. Token profiles are mapped to tokens automatically based on some kind of attribute in the token itself, such as a CCUID range. Token profiles are created as other certificate profiles (as in Section 2.1, “About Certificate Profiles”). Configuring token mapping is covered in the Certificate System Administrator's Guide.
  1. Search for the users, and click the link of the user's name in the results page.
  2. Scroll to the bottom of the page, and select the profile from the drop-down menu.
    Only fifteen (15) profiles are listed in the menu; if there are more than fifteen profiles available, then the last profile is Other, which allows the administrator to type in the selected profile manually.

    NOTE

    If the All Profiles option is added to the user, then any other configured profiles are dropped, because they are already included in the All Profiles option.
  3. Click the Add Profile button to add the profile to the user entry.
The new profile is listed as part of the user entry attributes. Up to fifteen profiles are listed on the profile; if there are more than fifteen, then the profile list is paginated.

9.4.2.4. Changing Roles for Users

A role is just a group within the TPS. Each role can view different tabs of the TPS services pages. The role is editable, so it is possible to add and remove role assignments for a user.
A user can belong to more than one role. The default admin user, for example, belongs to all three roles.
  1. Search for the users, and click the link of the user's name in the results page.
  2. Near the top of the page is a series of check boxes for the different roles, Operator, Agent, and Administrator. Check the boxes to assign the roles.
  3. Click the Update button to save the new role settings.

9.4.2.5. Deleting Users

WARNING

It is possible to delete the last user account, and the operation cannot be undone. Be very careful about the user which is selected to be deleted.
  1. Search for the user, and click the link to the user to delete.
  2. Click the Delete button in the lower right of the edit page.

9.4.3. Searching Activities

Activities are essentially logs for the TPS subsystem, and for the actions taken on individual tokens. Administrators can see all of the activities for tokens and certificates that agents and operators see. They can also see non-token operations, like adding or editing users.
Activities are logs of actions performed on a token, so searching for activities means searching for the token, and returning its specific log of activities.
To find all tokens, a subset of tokens, or a specific token, click the List/Search Activities link in the Administrator Operations tab, and fill in the name of the user or the whole or partial token identification number (CUID). The certificates search form, then, appears identical to the regular token search form. As with searching for tokens, asterisks (*) can be used in the search fields as wildcards and leaving a field blank returns all tokens.

NOTE

It is possible to list the activities for a single token by opening the token information page and then clicking the Show Activities button.
There is a maximum allowed number of search results configured for the TPS Directory Server database, so the number of entries returned is constrained by the search limit. Each results page shows 25 records.
Results for Searching Activities

Figure 9.16. Results for Searching Activities


The activities entries are formatted with two lines of information. The first line has the following information:
  • Activity ID, the unique ID of the activity entry
  • Token, the ID of the token for which the activity was performed
  • IP, the IP address of the client which connected to the TPS and performed the operation
  • User ID, the ID of the person who performed the operation
  • Operation, the kind of action being taken (a type of no_token means it is an administrative operation)
  • Result, the result returned for the operation
  • Created, the time that the activity was performed
The second line contains a detailed description of what operation was performed.

9.4.4. Running Self-Tests

On-demand self-test for the TPS subsystem are run through the Run Self Tests link in the Administrator Operations page.
The tests that will be run are shown on the Run Self Tests page.
Self-Tests

Figure 9.17. Self-Tests


The TPS Services page will show the logged events for the self-tests. If any critical self-tests fail, the server will stop.

9.4.5. Managing the TPS Audit Logs

Audit logs are special, protected logs that are used by auditors to track operations in the subsystem, such as for routine security checks or in case of some kind of security breach. Audit logs record a specific, configurable subset of operations.
TPS audit log settings are managed by clicking the Configuring Signed Audit Logging link in the Administrator Operations tab.
Configuring TPS Audit Logging

Figure 9.18. Configuring TPS Audit Logging


Audit logs are stored with the other subsystem logs in /var/log/subsystem_name (by default). Signed audit logs are written to /var/log/subsystem_name/signedAudit.

NOTE

For other Certificate System subsystems, audit logging is maintained in the Java-based administrative console. The TPS subsystem, however, does not use a Java console, so administrative tasks are either performed by directly editing the configuration files or, as with managing users, through the administrative page in TPS web services.
There are two parts for enabling audit logging. The first is enabling the audit log itself, using the Enable|Disable radio buttons. The second part is enabling signed audit logging. This signs the audit log after every entry with a special signing certificate as a sign that the log has not been tampered with.
By default, the audit log is enabled, and audit log signing is disabled. After enabling logging, then administrators can set what operations are recorded in the audit log. The loggable events are listed in Table 9.2, “Events Recorded to the TPS Audit Log”, and logging for these events can be added or removed from the audit log settings.
Specifying a value in the Audit Log Signing Interval field controls how frequently the server flushes the buffer and writes the messages to the logs. The default value is 5 seconds. Specifying a value in the Audit Log Signing Buffer Size field sets the maximum size of the buffer in bytes. The default value is 512 bytes. The buffer will be flushed and the data written to the logs, when the signing interval has expired or the buffer is full.

Table 9.2. Events Recorded to the TPS Audit Log

Event Description
AUDIT_LOG_STARTUP The start of the subsystem, and thus the start of the audit function.
AUDIT_LOG_SHUTDOWN The shutdown of the subsystem, and thus the shutdown of the audit function.
LOGGING_SIGNED_AUDIT_SIGNING Shows changes in whether the audit log is signed.
AUTHZ_SUCCESS Shows when a user is successfully processed by the authorization servlets.
AUTH_SUCCESS Shows when a user successfully authenticates.
ENROLLMENT Shows when a token is enrolled through the TPS.
APPLET_UPGRADE Shows when the applet on the token is upgraded.
AUTHZ_FAIL Shows when a user is not successfully processed by the authorization servlets.
ROLE_ASSUME A user assuming a role. A user assumes a role after passing through authentication and authorization systems. Only the default roles of administrator, auditor, and agent are tracked. Custom roles are not tracked.
PIN_RESET Shows when the password used to access the token is reset.
CONFIG Shows general configuration changes not specifically define below.
CONFIG_ROLE Shows that a change has been made to the configuration settings for roles, including changes made to users or groups.
CONFIG_TOKEN Shows that a change was made to a token's configuration settings.
CONFIG_PROFILE Shows that a change was made to a profile's configuration settings.
CONFIG_AUDIT Shows that a change was made to the audit log configuration.
KEY_CHANGEOVER Shows whether key changeover worked successfully.
RENEWAL Shows if a token is renewed successfully through the TPS.
AUTH_FAIL Shows when a user does not successfully authenticate.
FORMAT Records when a token is formatted.
CIMC_CERT_VERIFICATION Shows when a router (Cisco Integrated Management Controller) certificate verification request has been processed.

9.4.6. Managing TPS Server Configuration

The Advanced Configuration area of the TPS administrative UI shows different areas that can be configured specifically relating to the TPS server, such as subsystem connections, LDAP authentication sources, and both operation profiles and profile/smart card mappings. These are all sections in the TPS CS.cfg file that are explicitly exposed in the UI for editing or adding entries.
Defining the configuration elements that are manageable in the TPS web services pages is also set in the CS.cfg file. This is covered in the Certificate System Administrator's Guide.
The advanced configuration areas in the UI simply exposes excerpts from the CS.cfg file, without providing guided editable fields or configuration wizards. Editing TPS configuration in the TPS admin UI offers several distinct advantages over editing the CS.cfg file directly:
  • The TPS UI provides a visual list of changes, displaying both additions and deletions.
  • The TPS UI validates the format of the parameters used in the configuration.
  • Every configuration change is automatically recorded to the TPS audit logs. Whenever a new entry is added or an entry is edited, the change is recorded with the configuration area and entry name, plus the timestamp and the change that was made.

9.4.6.1. Editing TPS Profiles

The TPS profiles are configured based on the token operation.

NOTE

A profile must be disabled by an agent before it can be edited, and then it must be re-enabled by an agent before it can be used.
  1. In the Administrator Operations tab, click the Profiles link.
  2. Select the profile from the drop-down menu and click the Edit button.
  3. Edit the profile as desired. The parameters for the profiles is covered in the Certificate System Administrator's Guide.
  4. Click the Submit for Approval button to send the edited profile back to the agent for approval. Submitting the profile for approval locks the configuration so that it cannot be changed until an agent either accepts or rejects it.
    To save a draft of the profile, click the Save button, which preserves the current changes. This updates the TPS CS.cfg; any other admin users who are editing the TPS configuration will have to edit the updated file, but they can still make changes.

    NOTE

    An agent can enable a profile even if it has not been sent for approval by an administrator.
  5. When the profile is submitted, a list of all of the changes comes up, showing both additions and deletions. If the changes are correct, click the Confirm Changes button.
A new profile can be added in the same way: give it a name, paste in the new configuration, validate the settings, and then have it approved by an agent.

9.4.6.2. Mapping Token Types and TPS Policies

A mapping associates a profile with a subset of smart cards which meet certain parameters. This can be used to define policies for specific types of cards and then format them automatically and properly to a certain user based on characteristics in the card.
  1. In the Administrator Operations tab, click the Profile Mappings link.
  2. Select the profile from the drop-down menu.
  3. Edit the mapping parameters.
  4. Click Save.

9.4.6.3. Configuring Connections to Other Subsystems

Every TPS has connections configured to at least one CA and one TKS instance, and optionally a DRM instance. These default connections can be edited and additional connections can be added for failover tolerance or for load balancing.
Each connection — meaning each CA, TKS, and DRM that the TPS uses — has a separate entry in the CS.cfg file.
  1. In the Administrator Operations tab, select the Subsystem Connections link.
  2. Edit the subsystem connection settings, such as the hostname, servlets, and certificate information.
  3. Click Save.
A new subsystem connection can be added in the same way: give it a name, paste in the new configuration, and validate the settings.

9.4.6.4. Editing LDAP Authentication Sources

The authentication directory is the LDAP directory that the TPS checks for end user credentials to process token operations.
  1. In the Administrator Operations tab, select the Authentication Sources link.
  2. Select the authentication instance (identified by the number) from the drop-down menu.
  3. Edit the LDAP server connection settings.
  4. Click Save.
A new LDAP authentication source can be added in the same way: give it a name, paste in the new configuration, and validate the settings.

9.4.6.5. Setting TPS Server General Configuration

There are some general configuration elements for the TPS, which do not fit in with major configuration areas:
  • The default and maximum number of entries returned for LDAP searches (the token database, internal database, and authentication directory)
  • The maximum search time, in seconds for LDAP searches (the token database, internal database, and authentication directory)
  • Minimum password length
  • Secure channel settings
General Configuration: Search Setup

Figure 9.19. General Configuration: Search Setup


The search and password parameters are fairly straightfoward. The search parameters govern searches against any of the LDAP directories used by the TPS for settings, tokens, and users. THe password relates specifically to passwords used by TPS users.
The last general configuration area defines the secure channel characteristics that are used to configure with the Enterprise Security Client. This channel can be configured for four attributes:
  • Its size
  • Encryption
  • The encryption key version and type

Example 9.1. Default TPS-Token Channel Configuration

channel.blocksize=248
channel.defKeyIndex=0
channel.defKeyVersion=0
channel.encryption=true

General Configuration: Channel Setup

Figure 9.20. General Configuration: Channel Setup