WebRA

WebRA Profile

This section details how to configure the WebRA Profile.

Required By

WebRA Scheduled Tasks

Prerequisites

WebRA Template

PKI

How to configure WebRA Profile

1. Log in to Horizon Administration Interface.

2. Access WebRA Profiles from the drawer or card: Protocols > WebRA > Profiles.

3. Click on Add Connector .

4. Fill in the mandatory fields.

General

Name* (string input):
Enter a meaningful profile name, this setting will be the profile identifier. It must be unique for each profile.
Enabled (boolean):
Should the profile be enabled. The default value is set to true.
WebRA Template* (select):
Select a previously created WebRA Template.
*PKI * (select):
Select a previously created PKI connector.
Max certificate per holder (int):
When specified, define the maximum number of active certificates for a given Holder.

Cryptographic Policy

Allowed key type* (select):
Select from the list the allowed key types. The default values are set to RSA / 2048 and RSA / 3072.
Decentralized enrollment (boolean):
Tells whether the profile should be used with a decentralized enrollment mode, i.e CSR (PKCS#10) signing by the PKI. The default value is set to false.
Centralized enrollment (boolean):
Tells whether the profile should be used with a centralized enrollment, i.e providing a PKCS#12. The default value is set to false.
- Private key escrowing (boolean):
  Tells whether the private key should be escrowed by Horizon. Only available if Centralized enrollment is set to true. The default value is set to false.
- PKCS#12 Password generation mode* (select):
  Define if the PKCS#12 password is chosen by the user on the request (manual) or generated randomly (random). Only available if Centralized enrollment is set to true.
- Password policy for PKCS#12 password* (select):
  Select a previously created password policy. Only available if Centralized enrollment is set to true.
- Store encryption type (select):
  Select from the list the encryption type. Only available if Centralized enrollment is set to true. The default value is set to DES_AVERAGE.
- Show PKCS#12 Password On Enroll (boolean):
  Tells whether the PKCS#12 password should be displayed on enroll. Only available if Centralized enrollment is set to true. The default value is set to false.
- Show PKCS#12 On Enroll (boolean):
  Tells whether the PKCS#12 should be displayed on enroll. Only available if Centralized enrollment is set to true. The default value is set to false.
- Show PKCS#12 Password On Recover (boolean):
  Tells whether the PKCS#12 password should be displayed on recover. Enabled when the private key escrowing value is set to on. The default value is set to false.
- Show PKCS#12 On Recover (boolean):
  Tells whether the PKCS#12 should be displayed on recover. Enabled when the private key escrowing value is set to on. The default value is set to false.

Self Permissions

Revoke (boolean):
Tells whether self revoke permission is granted or not. The default value is set to false.
Request Revoke (boolean):
Tells whether self request revoke permission is granted or not. The default value is set to false.
Update (boolean):
Tells whether self update permission is granted or not. The default value is set to false.
Request Update (boolean):
Tells whether self request update permission is granted or not. The default value is set to false.
Recover (boolean):
Tells whether self recover permission is granted or not. The default value is set to false.
Request recover (boolean):
Tells whether self request recover permission is granted or not. The default value is set to false.

Triggers

WebRA profiles support the use of third-party triggers in the form of callbacks on specific events happening on the profile, giving a way to synchronize the third party repositories and Horizon.

Enrollment (select):
Select the third party trigger(s) to call whenever a certificate is enrolled on this profile.
Revocation (select):
Select the third party trigger(s) to call whenever a certificate gets revoked on this profile.
Expire (select):
Select the third party trigger(s) to call whenever a certificate expires on this profile.

You can further configure the profile using the Common configuration profile and Notification tabs.

5. Click on the save button.

You can edit Edit Connector , duplicate Duplicate Connector or delete Delete Connector the WebRA Profile.

You won’t be able to delete a WebRA Profile if it is referenced somewhere else.

WebRA Scheduled Tasks

This section details how to schedule tasks that will run periodically with your WebRA profiles.

Prerequisites

How to configure WebRA Scheduled Tasks

1. Log in to Horizon Administration Interface.

2. Access the "Scheduled tasks" from the drawer or card: Protocols > WebRA > Scheduled Tasks.

3. Click on Add Connector .

4. Fill in the mandatory fields.

WebRA Profile* (select):
Select a previously created WebRA profile.
Target Connector* (select):
Select a previously created third party connector.
Cron scheduling (cron expression):
Enter a Cron scheduling expression (in Quartz format). The default expression is built to run the task every 5 hours.
Revoke (boolean):
If enabled, will revoke all certificate whose container was deleted from the third party repository. The default value is set to false.
Renew (boolean):
If enabled, will renew all certificate who are about to expire. The default value is set to false.
Dry run (boolean):
If enabled, revocation and renewal actions will not be performed. Instead, a message will be logged, explaining what would have been done.

5. Click on the save button.

You can run Execute Connector or edit Edit Connector or delete Delete Connector the Schedules Tasks.

WebRA Template

This section details how to define a custom structure for the fields subject DN& SAN of the requested certificate in order to match the configuration on the PKI side.

How to configure WebRA Template

1. Log in to Horizon Administration Interface.

2. Access WebRA Templates from the drawer or card: Protocols > WebRA > Templates.

3. Click on Add WebRA Templates .

4. Fill in the mandatory fields.

Details

Template Name* (string input): Enter a meaningful WebRA template name. It must be unique for each template.

Subject DN composition

You can add more elements by clicking the add button.

Element* (select):
Select an attribute from the elements list.
Mandatory (boolean):
Should the element be mandatory. The default value is set to false.
Default value (string input):
Set a default value to the element.
Regex (string input):
Enter a regular expression that the element should match.
Editable by requester (boolean):
Tells whether the element should be editable by the requester. The default value is set to false.
Editable by approver (boolean):
Tells whether the element should be editable by the approver. The default value is set to false.

You can remove an element by clicking the delete button Delete Connector .

SAN composition

You can add more elements by clicking the add button.

Element* (select):
Select an attribute from the element list.
Mandatory (boolean):
Tells whether the element should be mandatory. The default value is set to false.
Default value (string input):
Set a default value to the element.
Regex (string input):
Enter a regular expression that the element should match.
Editable by requester (boolean):
Tells whether the element should be editable by the requester. The default value is set to false.
Editable by approver [.mysize]_(boolean)_s:
Tells whether the element should be editable by the approver. The default value is set to false.

You can remove an element by clicking the delete button Delete Connector .

When adding a SAN or a DN element and making it mandatory, make sure to either give it a default value or make it editable by the requester, otherwise the template will be unusable.

5. Click on the save button.

You can edit Edit WebRA Template , duplicate or delete Delete WebRA Template the WebRA template.

You won’t be able to delete WebRA template if it is referenced somewhere else.