-
タイトル
HSTS Certificate requirement for Password Manager 5.15 -
説明
In Password Manager 5.15, HSTS (Strict HTTP) is enabled by default. This means that a certificate is required to be installed on the Password Manager servers and configured in IIS before proceeding with an installation or upgrade.
While One Identity cannot assist with the Certificate creation or request portion, the steps outlined below cover the core requirements for the Certificate and how to apply it on the Password Manager server.
NOTE: For testing purposes, HSTS can be disabled in order to access the Password Manager sites without using HTTPS. To do so:
- Open regedit
- Navigate to HKEY_LOCAL_MACHINE\Software\One Identity\Password Manager
- Change HSTSEnabled value to false
- Restart Password Manager service
-
対策
Core Certificate Requirements:
- Key Usage: Digital Signature, Server Authentication
- Subject Alternative Name: Include all possible names for all servers within the Realm instance. For example, the server short (NetBIOS) name, the server FQDN, wildcard of the domain (i.e. *.mydomain.local).
- The certificate must be created by a trusted Certificate Authority. A self-signed Certificate from IIS will not work.
Pre-Installation Checklist:
- Install the Certificate on all Password Manager servers (Computer | Personal certificate store)
- Add a binding for ports 443 and 20000 in IIS and select this new certificate
Post-Installation:
- Open PMAdmin | Configuration | Reinitialization.
- In the Certificate Name dropdown, select the newly installed certificate and click Save.
- Open the PMSelfService site and enter a name that matches what is in the Certificate.
EXAMPLE CERTIFICATE AND CONFIGURATION
NOTE: This example is for a domain called "demo2.lab". The two Password Manager servers are demo2app7 and demo2app8.
Certificate Details
IIS BINDING:
PASSWORD MANAGER:
