Chapter 5 Security Configuration

Entrust integration

Jaguar integrates an Entrust public-key infrastructure (PKI) that enables Jaguar servers and clients to use Entrust IDs for client/server authentication. To assign an Entrust ID (Entrust profile) to a Jaguar listener:

1. Install and use Entrust/Entelligence software to manage Entrust keys and obtain an Entrust ID. See the Entrust documentation for more information.
2. Use Jaguar Manager to configure a security profile that specifies the Entrust ID you obtained in the previous step. You can configure the security profile to accept either non-Entrust clients or only clients that supply an Entrust ID. See "Configuring security profiles" for more information.
3. Assign the security profile to a listener. See "Configuring listeners" for more information.

The current version of Jaguar does not use Entrust encryption operations other than SSL signing by the private key.

There are three usage scenarios involving Entrust IDs and non-Entrust certificates:

• Both client and Jaguar server use non-Entrust certificates
• Entrust client and non-Entrust Jaguar server (and vice versa)
• Both client and Jaguar server use Entrust certificates

Both client and Jaguar server use non-Entrust certificates

In this scenario, you use Jaguar's Security Manager to access the Sybase PKCS #11 token to manage Jaguar's keys and certificates. On the client, you use either the browser's mechanism to manage keys and certificates for Java applets or the standalone Security Manager to access the Sybase PKCS #11 token to manage keys and certificates for C++ and Java applications.

See "Security Manager tasks" for information about Security Manager and "Using Netscape to manage certificates on the client " for information about Netscape certificate management. See the Jaguar CTS Programmer's Guide for information about configuring C++ and Java applications to use certificates.

Entrust client and non-Entrust Jaguar server (and vice versa)

In a mixed environment of Entrust IDs and non-Entrust certificates, each side (client and server) must import the other's CA certificate so that it will be recognized and accepted as coming from a trusted CA. For example, import the Entrust CA certificate into the non-Entrust server's PKCS #11 token using Security Manager (the Entrust CA certificate is imbedded in the user profile's .key file). Mark the CA certificate trusted.

See "Installing and exporting certificates" for information about importing CAs and "Viewing certificate, trust, and export information" for information about marking certificates as trusted.

You can then use the certificates and Entrust IDs as follows:

• Client side - client applications establish security through the ORB/global property or callback feature. See the Jaguar CTS Programmer's Guide for more information.
• Jaguar side - to allow non-Entrust clients, select the allow non-Entrust client check box when you configure a security profile. See "Security profiles" for more information.

Both client and Jaguar server use Entrust certificates

When both the client and Jaguar server use Entrust IDs, use Entrust to manage the IDs and use Jaguar Manager to establish a security profile that uses those IDs.

See "Configuring security profiles" for information on configuring security profiles to use either Entrust IDs or non-Entrust certificates and enabling non-Entrust clients to connect to a listener using Entrust IDs.

Copyright © 2000 Sybase, Inc. All rights reserved.