Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
3.3. Configuring Phone Home
The Phone Home feature in the Enterprise Security Client associates information within each smart card with information that points to distinct TPS servers and Enterprise Security Client UI pages. Whenever the Enterprise Security Client accesses a new smart card, it can connect to the TPS instance and retrieve the Phone Home information.
Phone Home retrieves and then caches this information; because the information is cached locally, the TPS subsystem does not have to be contacted each time a formatted smart card is inserted.
The information can be different for every key or token, which means that different TPS servers and enrollment URLs can be configured for different corporate or customer groups. Phone Home makes it possible to configure different TPS servers for different issuers or company units, without having to configure the Enterprise Security Client manually to locate the correct server and URL.
Note
In order for the TPS subsystem to utilize the Phone Home feature, Phone Home must be enabled in the TPS configuration file, as follows:
op.format.userKey.issuerinfo.enable=true op.format.userKey.issuerinfo.value=http://server.example.com
op.format.userKey.issuerinfo.enable=true
op.format.userKey.issuerinfo.value=http://server.example.com3.3.1. About Phone Home Profiles
Copier lienLien copié sur presse-papiers!
The Enterprise Security Client is based on Gnome. When the Enterprise Security Client caches information for each token, the information is stored in the user's configuration file. The next time the Enterprise Security Client is launched, it retrieves the information from the configuration file instead of contacting the server again.
When a smart card is inserted and Phone Home is triggered, the Enterprise Security Client first checks the token for the Phone Home URL, which is the default URL the Enterprise Security Client uses to try connecting to the TPS.
If there is no Phone Home information on the token, users can specify the Phone Home URL value manually by clicking the Phone Home button in the Enterprise Security Client UI. See Section 3.3.2, “Setting the Phone Home URL”. The other information is supplied and stored when the token is formatted. In this case, the company supplies the specific Phone Home URL for the user. After the user submits the URL, the format process adds the rest of the information to the Phone Home profile. The format process is not any different for the user.
3.3.2. Setting the Phone Home URL
Copier lienLien copié sur presse-papiers!
The Enterprise Security Client needs to be configured to communicate with the TPS; this is done via the Phone Home URL. Formatted tokens (they can be formatted by the manufacturer or by your IT department) already have this URL set. If a token is unformatted, the Enterprise Security Client cannot find the Phone Home URL: such blank tokens require to define the URL manually.
The Phone Home button allows users to specify the Phone Home URL:
- Once a blank token is inserted, click the button in the Enterprise Security Client UI to open a configuration dialog.
- In the TPS Config URI field, fill in the new TPS URL.
- Click to save. Once the new Phone Home URL is correctly configured, the rest of the information is retrieved and added to the Phone Home profile.
Figure 3.2. Phone Home URL Configuration
3.3.3. Configuring the TPS to Use Phone Home
Copier lienLien copié sur presse-papiers!
The Phone Home feature and the different type of information it uses only work when the TPS is properly configured to use Phone Home. If not, TPS ignores this feature. Phone Home is configured in the
phoneHome.xml in the /var/lib/pki/pki-tomcat/tps/conf/ directory; this prints the Phone Home information to XML.
Example 3.1, “TPS Phone Home Configuration File” shows an example XML file used by the TPS subsystem to configure the Phone Home feature.
Example 3.1. TPS Phone Home Configuration File
The TPS configuration URI is the URL of the TPS server which returns the rest of the Phone Home information to the Enterprise Security Client. An example of this URL is
http://localhost:8443/tps/phoneHome; the URL can reference the machine name, fully-qualified domain name, or an IPv4 or IPv6 address, as appropriate. When the TPS configuration URI is accessed, the TPS server is prompted to return all of the Phone Home information to the Enterprise Security Client.
To test the URL of the Smart Card server, enter the address in the TPS Config URI field, and click .
If the server is successfully contacted, a message box indicates success. If the test connection fails, an error dialog appears.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}