|
To determine the CA domain to which it will route a request, the
CMP CGI program first tries to determine the issuer distinguished
name: - If the message type is cr (certificate request),
the issuer field of the CertTemplate structure
is used as the issuer distinguished name if it is present. If it is
not, the recipient field in the message header is
used as the issuer distinguished name if it is in the form of a Directory
Name (distinguished name). If the recipient field
is not in the form of a Directory Name, an issuer distinguished name
is not used to determine the CA domain name; instead, the URL to which
the CMP request was sent is used to determine the CA domain.
- If the message type is p10cr (PKCS #10 certificate
request message), the recipient field in the message
header is used as the issuer distinguished name if it is in the form
of a Directory Name (distinguished name). If the recipient field is
not in the form of a Directory Name, an issuer distinguished name
is not used to determine the CA domain name; instead, the URL to which
the CMP request was sent is used to determine the CA domain.
- If the message type is rr (revoke request), the
issuer and serial number fields of the CertDetails field
are used as the issuer distinguished name and certificate serial number
to be revoked or suspended. If the serial number is not present, the
request is rejected. If the issuer field is not present, the recipient field
in the message header is used as the issuer distinguished name if
it is in the form of a Directory Name (distinguished name). If the recipient field
is not in the form of a Directory Name, an issuer distinguished name
is not used to determine the CA domain name; instead, the URL to which
the CMP request was sent is used to determine the CA domain.
If the CMP CGI program was able to determine the issuer distinguished
name, and the request is a certificate request (type cr or p10cr),
the CMP CGI program does the following processing to determine to
which CA domain it routes the request: - The CMP CGI program compares the issuer distinguished
name extracted from the request in string format to the values defined
in the _PKISERV_CMP_DOMAIN_ISSUERi environment
variables (where i is 1 through the number of CA
domains). The comparison is made by comparing the relative distinguished
names in order of specification (first from most specific to least
specific, then least specific to most specific). For example, if the
issuer distinguished name in a request message is OU=STG,O=IBM,C=US,
it would match a _PKISERV_CMP_DOMAIN_ISSUERi environment
variable whose value was set to either of the following values:
- OU=STG, O=IBM, C=US (most specific first)
- c=us,o=ibm,ou=stg (least specific first)
The comparison is made without regard to the character case (case-insensitive).
Some differences in spacing are allowed. For example, "O=IBM" matches "O
= IBM®", but not "O=I
B M"If a match is found for the issuer distinguished name,
the CMP CGI continues to step 2.
If no match is found, it uses the URL to which the CMP request was
sent to determine the CA domain.
- The number (i) of the matching
_PKISERV_CMP_DOMAIN_ISSUERi environment variable
is used to read the domain name environment variable _PKISERV_CMP_DOMAIN_NAMEi_n.
The _PKISERV_CMP_DOMAIN_NAMEi_n with
the highest value of n is used because it represents
the current domain name for the CA for accepting new certificate requests.
(When the value of n is greater than 1, at least
one CA rollover has occurred.) For example, if the issuer distinguished
name in a cr message matched the value in _PKISERV_CMP_DOMAIN_ISSUER3,
and one CA rollover has occurred for that CA, the CA domain name is
retrieved from the _PKISERV_CMP_DOMAIN_NAME3_2 environment variable.
If the _PKISERV_CMP_DOMAIN_NAMEi_n environment
variable cannot be read, the CMP request is rejected.
If the CMP CGI program was able to determine the issuer distinguished
name, and the request is a revoke request (type rr),
and a serial number was present in the request, the CMP CGI program
does the following processing to determine to which CA domain it routes
the request: - The CMP CGI program compares the issuer distinguished name extracted
from the request in string format to the values defined in the _PKISERV_CMP_DOMAIN_ISSUERi environment
variables (where i is 1 through the number of CA
domains). The comparison is made in the same manner as described in
step 1 for cr and p10cr requests.
If a match is found for the issuer distinguished name, the CMP CGI
continues to step 2. If
no match is found, it uses the URL to which the CMP request was sent
to determine the CA domain.
- The number (i) of the matching
_PKISERV_CMP_DOMAIN_ISSUERi environment variable
is then used to read the serial number domain name environment variables
_PKISERV_CMP_DOMAIN_FSTSNi_n.
Each _PKISERV_CMP_DOMAIN_FSTSNi_n environment
variable is read, starting with an n value of 1,
and compared to the serial number retrieved from the rr request.
- If there are no _PKISERV_CMP_DOMAIN_FSTSNi_n environment
variables defined, the domain name is read from the _PKISERV_CMP_DOMAIN_NAMEi_1
environment variable.
- If the serial number is greater than the environment variable
value and less than the next environment variable value (or is the
last environment variable), the domain name is read from the corresponding
_PKISERV_CMP_DOMAIN_NAMEi_n environment
variable.
Example: An rr request is made
by a CMP client specifying an issuer distinguished name of OU=STG,
O=IBM, C=US, and the following sample is an excerpt
from the defined environment variables: _PKISERV_CMP_DOMAIN_ISSUER3= OU=STG, O=IBM, C=US
_PKISERV_CMP_DOMAIN_NAME3_1=STG_CA
_PKISERV_CMP_DOMAIN_NAME3_2=STG_CA2
_PKISERV_CMP_DOMAIN_NAME3_3=STG_CA3
_PKISERV_CMP_DOMAIN_FSTSN3_1=3
_PKISERV_CMP_DOMAIN_FSTSN3_2=12500
_PKISERV_CMP_DOMAIN_FSTSN3_3=25000
If the serial number
specified in the rr request is 20000 decimal, the
revocation request is routed to the STG_CA2 domain because STG_CA2’s
first serial number is less than 20000, and the first serial number
issued by STG_CA3 is greater than 20000.
|