Administering and using the TSS

This section includes information on the daily administration and usage tasks.

Restoring a TSA key

The Restore option is enabled only if the TSA key status is Uncertified. If the key is in any other state:

  • Delete the TSA certificate from the TSA Certificate Store

  • Cancel any pending TSA certification requests

  • Re-create the TSA certificate so that the Restore option is enabled.

Before attempting to restore a TSA key, ensure that the TSA Key Backup file key_dsetsa_tsakey(n) is present in the system hard drive’s %NFAST_KMDATA% directory. If necessary, copy the back-up file you made at the time of creation to this directory. Ensure that the %NFAST_KMDATA%\local\key_dsetsa_tsakey(n) file is in place.

  1. Log in with the Security Officer role.

  2. Navigate to TSA Management > Certification Status.

    The TSA Certification dialog opens, listing all the TSAs that exist in the TSS.

  3. Select the TSA that you would like to restore, then click Restore.

    If the %NFAST_KMDATA%\local\key_dsetsa_tsakey(n) file is not found, the TSS returns the following message:

    The restore blob for the dsetsa,tsakey(n) could not be found.
    Unable to restore the TSA Certification.

    The Loading OCS:OCSName dialog opens. This dialog displays general information about the OCS followed by loading state information and a Next button. Each time you click Next, you are redirected to an updated display of this dialog. (This is the same dialog that was used to enable the TSA Key for backup.) The Loading OCS:OCSName dialog requests cards and pass phrases until you have presented a quorum and the OCS is loaded.

    If you cannot present the required number (K) of Operator Cards (for example, if you have lost too many cards from the OCS), the TSA backup facility does not work.
  4. When the OCS is loaded, the TSS returns the following message:

    Operator Card Set OCSName loaded.
  5. Click Next.

    The TSA key and certificate are restored, and you are directed to the TSA Certificate Info dialog, which displays information about the restored certification.

Removing an upper clock

The TSA Configuration dialog is where you manage audit settings and add or remove upper clocks. See Adding an upper clock>> for information on how to add a new upper clock.

  1. Log in with the Network Manager role.

  2. Navigate to TSA Management > Configuration.

    The TSA Configuration dialog opens, listing all the TSAs that have been created.

  3. Select the required TSA, and click Configure.

  4. In the TSA Configuration dialog, select the clock you want to remove, then click Remove.

  5. When prompted, click OK to confirm that you want to remove the clock.

Enabling or disabling the clock

Use this option only if you cannot import valid certificates or if the logs are showing that the DS/NTP transaction has failed due to the TSS claiming that valid certificates have expired or are not yet valid.
  1. Log in with the Network Manager role.

  2. Navigate to TSA Management > Clock Management.

  3. To enable or disable the clock, click Enable or Disable as appropriate, then click Set Clock to enable the TSS to synchronize the time to the host operating system clock. Ensure that the host clock is accurate.

    To accurately set the time, the clock server and the time zone must be correct. Get the time close enough so that an audit can confirm or fix the time.

Viewing card set lists

It is often necessary to obtain information from card sets. For security reasons, card sets usually do not include identification marks.

  1. Log in with the Security Officer role.

  2. Navigate to Card Set Management > List Card Sets.

    The following details are displayed.

    Object Description

    Name

    This is the name the card set was given when it was created.

    K of N

    This shows the number of Operator Cards that you want to require in order to re-create a key (K) and the number of the total number of cards (N).

    Persistent

    This shows whether or not a card set is persistent. By default, the TSS creates non-persistent card sets, which means that keys protected by this card set become unavailable when the last card is removed.

    Timeout

    The time-out is the length of time that an Operator Card from the set can remain effective when inserted in the card reader. After the time-out is reached, the card must be re-inserted before it can be used. You cannot set a time-out value greater than a year (that is, 31622400 seconds).

Viewing or changing card sets

The View/Change menu option enables you to examine cards inserted into a TSS from the same Security World as the TSS on which they were created. To change a card pass phrase, you require both the card and the old pass phrase.

  1. Log in as a Security Officer.

  2. Navigate to Card Set Management > View/Change.

    The Card Utilities dialog opens.

  3. Click Set Pass Phrase to change the pass phrase of a card that has been inserted.

    For information on pass phrases, see Using pass phrases.

  4. Optionally, click Erase to erase all the data of a card that has been inserted.

Viewing TSA certificate information

Use this menu option to view details of a TSA certificate.

  1. Log in with the Security Officer role.

  2. Navigate to TSA Management > Certification Status. The TSA Certification Status dialog opens, displaying all the TSAs that exist in the TSS.

  3. Select the TSA you would like to work with, then click Cert Info. The TSA Certificate Information dialog displays the following information for the selected TSA:

    Field Description

    TSA Key Status

    A green, amber, or red light here informs you of the key status.

    Export

    You can export (download) the certificate in base64 format by clicking here.

    Version

    Refers to the version of ANSI X.509 that defines the certificate syntax. The TSS uses the V3 version, standard in the industry.

    Serial Number

    A unique number assigned by the Certificate Authority that issues the certificate. It is simply a way to uniquely identify a specific certificate issued by a particular CA.

    Signature algorithm

    The signature algorithm used by the CA.

    Issued by

    The issuer of the certificate.

    Issued to

    The entity to whom the certificate is issued.

    Valid from

    Beginning date that the certificate is valid.

    Valid to

    Date that ends the certificate’s validity. All dates in the TSS are displayed in the format yyyy/mm/dd and all times are displayed as hh:mm:ss.

    Public key type

    Displays the certificate’s public key type.

    Public key

    This field is a long string of characters. Click on Public Key to see the key in its usual block format in the field here. Click any of the tags, and a pop-up window opens with the information presented in block format.

Viewing Time Attribute Certificate (TAC) information

When the TSS is successfully audited, it gets a new TAC. The new TAC overlaps the previous TAC under which your TSS was issuing time-stamps. If you have an operational TAC and an audit fails because of time drift, the audit produces a non-operational TAC that overlaps the previous TAC. In such a case, the TSS is no longer able to issue time-stamps until a successful audit is completed.

  1. Log in with either the Network Manager or the Security Officer role.

  2. Navigate to TSA Management > Operational Status.

    The TSA Operational Status dialog opens, displaying all the TSAs that exist in the TSS.

  3. Select the required TSA, then click Details.

    The Operational Status for the selected TSA is displayed.

  4. Click TAC Info.

    The following information is displayed:

    Field Description

    TAC Status

    A green, amber, or red light informs you of the status.

    Initiate Audit

    When you click this button, an audit request is sent to the Upper Clock indicated in your network setup, as described in Adding an upper clock. The display will not automatically refresh when the audit is received. Click the menu item again to refresh.

    Delay

    The go around time, or round-trip communication delay between the TSS and the audit clock.

    Offset

    Tells you how much your clock differs from the clock that audited it (an NMI-based Trusted Master Clock, using UTC).

    Max Delay

    The maximum allowable network delay to receive a successful audit.

    Max Offset

    The maximum time offset allowed to receive a successful audit. This is measured in seconds.

    Valid From

    Tells you the date the TAC became valid. All dates in the TSS are displayed in the format yyyy/mm/dd, and all times as hh/mm/ss.

    Valid To

    Tells you the date the TAC will become invalid.

    Leap Event

    Any scheduled leap second event is noted here.

    Timing Policy OID

    Refers to the timing policy statement of the upper clock which issued this TAC.

Viewing time-stamps issued

The Status menu option enables you to view all the time-stamps that have been issued.

  1. Login with the Network Manager role.

  2. Navigate to TSA Management > Time Stamps Issued.

    The TSA Time-Stamps Issued dialog opens, listing all the TSAs that exist in the TSS.

  3. Select the TSA that you would like to work with, then click Details.

    The Time-stamps dialog opens, displaying the following time-stamp statistics:

    Area / button Description

    Total

    Displays in total and by percentage the time-stamps requested, granted, and rejected.

    Under Current TAC

    Displays time-stamps requested, granted, and rejected under the current operational TAC.

    Refresh

    Click this button to display the latest statistics.

Viewing the uptime

The Status menu enables you to know when the DSE200 service was last restarted.

  1. Log in with the Network Manager role.

  2. Navigate to Server Management > Uptime.

    The details of the TSS, UTC, the current time of the browser, and time zone settings are displayed.

Viewing or resetting Administrator and Board logs

  1. Log in with either the Security Officer or the Network Manager role.

  2. Navigate to Logging and select one of the following:

    • Administrator Log: records all TSS activities done within the Security Officer and Network Manager user interfaces.

    • Board Log: contains information about the internal state of the time-stamp server (for example, whether time-stamping and logging are enabled or disabled, records of audit requests generated by the expiration of a TAC, receipt of a TAC, and clock calibration).

Depending on the option that you select, either the Administrator Log or the Board Log dialog opens.

To view the selected log:

  1. Click Show Log to display the log dialog.

  2. Choose the parameters for viewing the log, then click Display.

    The log records are displayed with the most recent entries at the bottom. For more on Board log errors and alerts, see Error messages and alerts.

To reset the selected log:

  1. Click Reset to display the reset log dialog.

  2. Click Start to rotate the log.

Recording TACs and time-stamps

If you wish to record the TACs that are received and the time-stamps that are issued, set the environment variable TSS_LOGTIMESTAMPS=1. If you set this environment variable:

  • Each TAC is recorded in an individual file in the %NFAST_HOME%\dse200\UserFiles\tac_log\ directory. There are no configuration options.

  • All the issued time-stamps are saved in the %NFAST_HOME%\dse200\UserFiles\tst_log\ directory.

This feature is optional and is disabled by default.

Viewing user login statistics

The User Login Statistics menu option enables you to view the login statistics by user type. Server statistics displays the consolidated login details for all user types.

  1. Login with either the Network Manager or Security Officer role.

  2. Navigate to Logging > User Login Info.

    The User Login Statistics dialog opens, displaying login information by user and for the server as a whole.

  3. To view login statistics by user type:

    1. Select a user type from the Statistics For drop-down menu.

    2. Click the Details button next to the Statistics For drop-down menu.

    The login statistics for the selected user type are displayed.

  4. To view the consolidated login information for all user types, click the Details button next to Server Statistics.

    All dates in the TSS are displayed in the format yyyy/mm/dd, and all times as hh/mm/ss.

Viewing the log archive

The archive stores the old Admin and Board logs.

  1. Login with either the Network Manager or Security Officer role.

  2. Navigate to Logging > Archive.

    The Log Archive dialog opens, displaying links to the Admin and Board logs.

  3. Click the required link.

  4. In the Log Archive dialog, select the required options and click Display.

    The log records are displayed, with the most recent entries at the bottom.

Adding a user

User roles are defined as follows:

  • Security Officer: authorized to perform key and certificate management. The Security Officer manages keys, certificates, and the log file, but is not responsible for the day-to-day management or operational tasks.

  • Network Manager: authorized to manage time-stamping and auditing. The Network Manager is responsible for managing and operating the TSS on a day-to-day basis. The Network Manager can also enable or disable time-stamping and auditing.

Any users you add must be assigned one of these roles. There may be more than one Security Officer and more than one Network Manager.

  1. Log in with the Security Officer role.

  2. Navigate to User Management > Add User. The Add User dialog opens.

  3. Enter the following information:

    Field Enter / Select

    User Name

    The user’s first name or nickname.

    User Role

    The user’s role: Security Officer or Network Manager.

    Real Name

    The user’s real name.

    E-mail

    The user’s e-mail address. This is just for display purposes, and can be the same e-mail address as in Notify E-Mail, described below.

    Notify E-mail

    The e-mail address to which notices from the board log are sent.

    Notify E-Mail From

    The e-mail address from which the user receives Notify e-mails.

    Notify E-Mail Subject

    If left blank, the default value (%<N DSE200>%*E Notification) is used, where N - expands to the hostname of the TSS and E expands to "Error", "Alert", or "Error/Alert" based on the log messages.

    Notify SMTP

    The SMTP server handling such notices. This is the e-mail server (example: smtp.<servername>.com) that the TSS uses to send e-mail notifications.

    Password

    A password for the user. The maximum length of a password is 128 characters.

    Verify password

    The password again to confirm it.

  4. Click Add User.

    If the Modify User screen opens (see next section), then the new user has been added.

Modifying or deleting users

  1. Log in with the Security Officer role.

  2. Navigate to User Management > Modify/Delete Users.

  3. Enter their identifying data, then click the appropriate button to change its status: Update, Delete, or Change Password.

    A user account can be locked or unlocked via the Account Locked checkbox.
  4. Click OK to complete the action to change the field.

  5. When prompted, enter and re-enter the new password.

    Use the Prev and Next buttons to go to the previous or next user’s profile to be modified.

Modifying user information

  1. Log in with the Network Manager role.

  2. Navigate to User Management > Modify Users.

  3. Change the information as required.

  4. Optionally, click Change Password to change your password.

  5. After you have made the required changes, click OK to save the changes.

Restarting the service

You may have to restart the service at times, for example after you have installed a new TLS certificate. As a Windows administrator, restart the DSE200 service via the standard Windows Services facility.