6.3. Token Policies
This section provides a list of token policies that can be applied on a per token basis using the TPS UI. Ech section will show how each policy is reflected in the configuration.
Note
See the Token Policies section of the Red Hat Certificate System 9 Planning, Installation and Deployment Guide for general information.
The policy is a collection of policies each separated by a semicolon ("
;
""). Each policy can be turned on or off with the keywords YES
or NO
. Each policy in the list below will be introduced with its default value - the action taken by TPS if the setting did not exist at all in the policy string.
- RE_ENROLL=YES
- This policy controls whether or not a token allows a reenroll operation. This allows an already enrolled token (with certificates) to be reenrolled and given new ones. If set to
NO
, the server will return an error if a reenrollment is attempted.This policy does not require special configuration. The enrollment will proceed with the standard enrollment profile, which likely enrolled the token originally. - RENEW=NO;RENEW_KEEP_OLD_ENC_CERTS=YES
- Renewal allows a token to have their profile generated certificates to be renewed in place on the token. If
RENEW
is set toYES
, a simple enrollment from the Enterprise Security Client (ESC) will result in a renewal instead of a reenrollment as discussed above.TheRENEW_KEEP_OLD_ENC_CERTS
setting determines if a renewal operation will retain the previous version of the encryption certificate. Retaining the previous certificate allows users to access data encrypted with the old certificate. Setting this option toNO
will mean that anything encrypted with the old certificate will no longer be recoverable.Configuration:op.enroll.userKey.renewal.encryption.ca.conn=ca1 op.enroll.userKey.renewal.encryption.ca.profileId=caTokenUserEncryptionKeyRenewal op.enroll.userKey.renewal.encryption.certAttrId=c2 op.enroll.userKey.renewal.encryption.certId=C2 op.enroll.userKey.renewal.encryption.enable=true op.enroll.userKey.renewal.encryption.gracePeriod.after=30 op.enroll.userKey.renewal.encryption.gracePeriod.before=30 op.enroll.userKey.renewal.encryption.gracePeriod.enable=false op.enroll.userKey.renewal.keyType.num=2 op.enroll.userKey.renewal.keyType.value.0=signing op.enroll.userKey.renewal.keyType.value.1=encryption op.enroll.userKey.renewal.signing.ca.conn=ca1 op.enroll.userKey.renewal.signing.ca.profileId=caTokenUserSigningKeyRenewal op.enroll.userKey.renewal.signing.certAttrId=c1 op.enroll.userKey.renewal.signing.certId=C1 op.enroll.userKey.renewal.signing.enable=true op.enroll.userKey.renewal.signing.gracePeriod.after=30 op.enroll.userKey.renewal.signing.gracePeriod.before=30 op.enroll.userKey.renewal.signing.gracePeriod.enable=false
This type of renewal configuration mirrors the basicuserKey
standard enrollment profile with a few added settings that are renewal specific. This parity is needed because we went to renew exactly the number and type of certs that were enrolled originally on to the token before renewal is to be put into play. - FORCE_FORMAT=NO
- This policy causes every enrollment operation to prompt a format operation if enabled. This is a last-step option to allow tokens to be reset without a user having to return it to an administrator. If set to
YES
, every enrollment operation initiated by the user will cause a format to happen, esentially resetting the token to the formatted state.No additional configuration is necessary. A simple format occurs given the same TPS profile used to perform a standard format operation. - PIN_RESET=NO
- This policy determines if an already enrolled token can perform an explicit “pin reset” change using the ESC. This value must be set to
YES
or the attempted operation will be rejected with an error by the server.Configuration:op.enroll.userKey.pinReset.enable=true op.enroll.userKey.pinReset.pin.maxLen=10 op.enroll.userKey.pinReset.pin.maxRetries=127 op.enroll.userKey.pinReset.pin.minLen=4
In the above example, the settings forminLen
andmaxLen
put constraints on the length of a chosen password, and themaxRetries
setting sets the token to only allow a given number of retries before locking up.
TPS policies can be edited easily using the latest TPS user interface. Navigate to the token that needs a policy change and click Edit. This will bring up a dialog that will allow you to edit the field, which is a collection of semi colon separated policies strung together. Each supported policy must be set to
<POLICYNAME>=YES
or <POLICYNAME>=NO
in order to be recognized by TPS.