Connector Guides › Connectors Guide › Connecting to Endpoints › Microsoft Windows Connector › Configure the CAM and CAFT Service for Windows NT › Activate the CAM and CAFT Encryption for Windows NT

Activate the CAM and CAFT Encryption for Windows NT

If your CA IdentityMinder installation is using the CAM/CAFT encryption, ask your CA IdentityMinder administrator for a copy of the Public Key keyfile and password in use.

If this is an initial installation of Provisioning Server, Provisioning Manager or CA IdentityMinder Agent, and you want to activate CAM/CAFT encryption for the communication between the Provisioning Server and other CA IdentityMinder servers or system endpoints, you must generate a Public Key file by entering the following command at the command prompt:

>caftkey -g keyfile password

keyfile

Defines the name that you assign to the key file.

password

Defines the password that you assign to the key file.

To activate the CAM and CAFT encryption

1. Install your Public Key on both CAFT Agent and CAFT CA IdentityMinder boxes using the previously-generated key file (see above) by entering the following command at the command prompt:

   >caftkey -policy_setting keyfile password
   

   • keyfile and password must have the values that you specified while generating the Public Key file.
   • policy_setting must be -i, -m, or blank.

   The policy_setting governs the communication between this computer (the local computer) and other computers that have the CAM and CAFT service installed, but may or may not have the CAM and CAFT encryption certificates installed.

   • Policy -1 (caftkey -i keyfile password)

   The -i option specifies Policy -1. This policy lets computers running previous versions of the CAM and CAFT service execute commands on this computer and lets this computer execute commands on those computers. Policy -1 encrypts messages if the other computer has these certificates installed. This policy does not encrypt messages if the other computer does not have these certificates installed.

   • Policy 1 (caftkey -m keyfile password)

   The -m option specifies Policy 1. This policy prohibits other computers from executing commands on this computer if they are running previous versions of the CAM and CAFT service without the encryption certificates. This policy also prohibits this computer from executing commands on those computers.

   If both computers have the CAM and CAFT encryption certificates installed, but have different Public Key Files installed when Policy 1 is set, the command requests between the two computers always fails.

   • Blank Option

   The blank option specifies Policy 0. This policy is set if no Public Key File is installed, the CAM and CAFT encryption certificates were not installed properly, or if you do not specify a policy setting when you enter the caftkey command. Policy 0 specifies no encryption.

2. Recycle the CAM Service on each box where you install the new Key as follows:

   prompt> cam close              //stop Cam/Caft service and processes
   

   prompt> cam start             //start CAM service and process
   

3. After recycling the CAM service, recycle the CAFT service by issuing the following statement:

   prompt> caft
   

4. Check the log produced by the CAFT service, and confirm the policy setting by issuing the following statement:

   prompt> type "%CAI_MSQ%\ftlogs\dg000"
   

   The output will be similar to the following example:

   D:\> type "%CAI_MSQ%\ftlogs\dg000"
   

   	Thu Feb 16 09:05 Starting CAFT version 1.12 (Build 28)
   

   	Thu Feb 16 09:05 Encryption Policy -1
   

   	Thu Feb 16 09:05 ------- CAFT initialize complete -------