In the wake of rapidly proliferating electronic-business initiatives, the adoption of public key infrastructure (PKI) and certificate-based authentication implementations has surged. Managing certificate authorities can be a bear, and as businesses integrate new suppliers and vendors faster than ever, accurate deployment of a certificate authority is a formidable challenge.
The iPlanet Certificate Management System (CMS) 4.1 from the Sun-Netscape Alliance successfully meets that challenge. Although it is less developed than Entrust's PKI solutions and lacks the out-of-the-box plug-ins and toolkits of Baltimore's Unicert, CMS is more affordable than comparable solutions, such as Security Dynamics' Keon Certificate Server.
Providing a centralised point for certificate authentication and access, CMS 4.1 integrates archival and recovery features with management tools to automate the issuing and renewal of certificates. Also, CMS leverages Lightweight Directory Access Protocol (LDAP) to improve the speed and scalability of a directory-based certificate store.
CMS will provide an immediate return on investment by securely integrating the next supplier or partner added to your electronic-commerce framework. Based on Netscape's Directory Server, CMS can now support millions of certificates. CMS offers the scalability and fortitude required to execute a comprehensive e-commerce security plan. But with its server-independent, per-seat pricing, it provides an affordable foundation for any business looking to quickly implement certificate-management services across a variety of PKI-enabled tools.
Although CMS 4.1 is a first release, it performed like a seasoned veteran. It is comprised of three modules: the Certificate Manager, which issues certificates and processing authentication requests; the Registration Manager, which authenticates enrollment and renewal requests; and the Data Recovery Manager, which provides secure archival and retrieval of encryption keys.
I easily set up a certificate authority replete with directory-based publishing and authentication capabilities. Using a CMS wizard to generate certificates, I quickly established rules and policies with certificates customised to varying degrees of key strength and periods of validity. CMS also has importing facilities, which I used to incorporate my LDAP user directory, further hastening the process of bulk certificate issuance.
Users can easily navigate CMS's automated certificate-issuance capability via the Java-based interface from a Web browser. In addition to establishing and renewing certificates, the system manages certificate revocation lists and triggers e-mail notifications regarding expiration and renewal obligations.
Using the console interface, I easily administered policies and set up notification templates. CMS's flexibility allowed me to customise the enrollment process to make it suitable for my business. Also, queuing manual certificate requests can trigger e-mail responses from pre-established templates. Because this process could quickly tax resources in a large-scale extranet scenario, CMS provides alternative notification schemes that regularly display, for example, only scheduled queue summaries.
The inability to work effectively with existing applications is a weakness in PKI when used for large-scale deployment. CMS 4.1 has open APIs and Java plug-in capability, offering an extensible system that integrates with existing security modules, enterprise resource planning systems, and legacy databases. But, CMS still needs in-house expertise to integrate with existing applications.
Although CMS 4.1 is not forging new ground, I found that it possesses a level of maturity that puts it on par with competitors' offerings for securing intranet and extranet transactions. CMS provides a comprehensive security authority solution, offering top-notch implementation that is extensible, scalable, and affordable.
James R. Borck (email@example.com) is IS director at Industrial Art & Science in Connecticut.
The bottom line: very good
iPlanet Certificate Management System 4.1
Summary: This tool offers distributed management over a centralised certificate authority and a built-in recovery capability, automated certificate issuance and renewal, and scalability to millions of certificates.
Business Case: With Certificate Management System, suppliers and partners can be quickly added to your security infrastructure with a flexibility not found in outsourced certificate authorities. Open APIs and plug-ins allow cost-effective integration with existing security implementations, and automated management reduces administrative overhead.
+ Comprehensive suite
+ Per-seat pricing structure
+ Lightweight Directory Access Protocol-based directory storeCons- Limited integration modules- Limited interoperability with different digital certificatesPlatforms: Windows NT 4.0 Service Pack 4, Solaris 2.51/2.6.