Manualshelf

System information

ManualsBrandsRed Hat ManualsOtherCERTIFICATE SYSTEM 8 - AGENTS GUIDE
11121314151617181920
among one or more levels of subordinate CMs.
Subsystems can also be cloned. All clones use the same keys and certificates as the master,
which means that the master and clones essentially all function as a single CA. Many complex
deployment scenarios are possible.
Data Recovery Manager.
A Data Recovery Manager (DRM) oversees the long-term archival and recovery of private
encryption keys for end entities. A CM or TPS can be configured to archive end entities' private
encryption keys with a DRM as part of the process of issuing new certificates.
The DRM is useful only if end entities are encrypting data, using applications such as S/MIME
email, that the organization may need to recover someday. It can be used only with client
software that supports dual key pairs; two separate key pairs, one for encryption and one for
digital signatures. It is also possible to perform server-side key generation using the TPS server
when enrolling smart cards.
Note
The DRM archives encryption keys. It does not archive signing keys, since
archiving signing keys would undermine the non-repudiation properties of
dual-key certificates.
Online Certificate Status Manager.
An Online Certificate Status Manager (OCSM) works as an online certificate validation authority
and allows OCSP-compliant clients to verify certificates' current status. The OCSM can receive
CRLs from multiple CMs; clients then query the OCSM for the revocation status of certificates
issued by all CMs. For example, in a PKI comprising multiple CAs (a root CA and many
subordinate CAs), each CA can be configured to publish its CRL to the OCSM, allowing all
clients in the PKI deployment to verify the revocation status of a certificate by querying a single
OCSM.
Note
An online certificate-validation authority is often referred to as an OCSP
responder.
Token Key Service.
The Token Key Service (TKS) manages the master and transport keys required to generate and
distribute keys for smart cards. The TKS provides security between tokens and the TPS
because it protects the integrity of the master key and token keys.
Chapter 2. Agent Services
6