When the Password Manager Service is installed on one computer and the Self-Service and Helpdesk sites are installed on a different server, certificate-based authentication, and traffic encryption is used to protect traffic between these components.
By default, the Password Manager service uses the built-in certificate. If a custom certificate is desired then this is an option; however this same custom certificate would need to be used on internal Password Manager servers, and external-facing Password Manager servers or communication will be broken. Custom certificates must be issued by a trusted Windows-based Certificate Authority Server.
This article provides instructions on how to start using custom certificates for authentication and traffic encryption between Password Manager components.
Step 1: Obtain and Install Custom Certificates From a TrustedWindows-Based Certification Authority
You must obtain two certificates from a trusted Windows-based certification authority: one for the computer running the Password Manager Service (server computer) and another for computers running the Self-Service or Helpdesk site (client computers).
When obtaining certificates, make sure that:
• The server computer can be accessed from the client computers by using the server certificate CN.
• Both are selected as key usage in a certificate request.
• Enable strong private key protection option is NOT selected in a certificate request.
• If Password Manager is installed on a computer running Windows Server 2003, install the hotfix below before installing custom certificates on the computer.
The following is a sample procedure describing how to obtain a certificate through the Windows 2008 Certificate Services Web interface.
IMPORTANT: When obtaining a certificate for the server computer, perform the following procedure on a computer where the Password Manager Service runs and use the Password Manager Service account to run Internet Explorer. When obtaining a certificate for the client computers, perform the following procedure on a computer running the Self-Service or Helpdesk site and use the Application Pool Identity account to run Internet Explorer. |
To request a certificate using Windows 2008 Certificate Services Web Interface:
1) Use Internet Explorer to open https://servername/certsrv, where server name refers to the name of the Web server running Windows Server 2008 where the certification authority that you want to access is located.
2) On the Welcome page, click Request a certificate.
3) On the Request a Certificate page, click advanced certificate request.
4) On the Advanced Certificate Request page, click Create and submit a certificate request to this CA.
5) Provide identification information as required. In the Name text box, enter the name of the server for which you are requesting a certificate.
6) In Type of Certificate Needed, select Server Authentication Certificate.
7) In Key Options, select Create new key set, and specify the following options:
• In CSP (Cryptographic service provider), select Microsoft Enhanced RSA and AES Cryptographic Provider.
• In Key Usage, click Both.
• In Key Size, set 1024 or more.
• Select Automatic key container name.
• Select the Mark keys as exportable check box.
• Clear the Enable strong private key protection check box.
8) In Additional Options, specify the following:
• In Request Format, select CMC.
• In Hash Algorithm, select sha1.
• Do not select the Save request check box.
• Specify attributes if necessary and a friendly name for your request.
9) Click Submit.
10) If you see the Certificate Issued Web page, click Install this certificate. If your request needs to be approved by your administrator first, wait for the approval and then go to the https://servername/certsrv, click View the status of a pending certificate request, and then install the issued certificate.
Step 2: Provide Certificate Issued for Server Computer to Password Manager Service
In this step, you provide the certificate issued for the server computer to the Password Manager Service by using the Administration site.
To provide the certificate to the Password Manager Service
1) Open the Administration site by entering the following address: http(s):///PMAdmin, where is the name of the computer on which Password Manager is installed.
2) Click General Settings | Instance Reinitialization. Under the Service connection settings, select the custom certificate issued for the server computer from the Certificate name drop-down list.
3) Click Save.
Step 3: Provide Certificate Issued for Client Computers to Self-Service and Helpdesk Sites
In this step, you provide the certificate issued for the client computers to the Self-Service and Helpdesk sites installed separately from the Password Manager Service.
To provide the certificate to the Self-Service Site
1) Open the Self-Service site by entering the following address: http(s):///PMUser, where is the name of the computer on which Self-Service site is installed. The Self-Service Site Initialization page will be displayed automatically if the Self-Service site is opened for the first time.
2) From the Certificate name drop-down list, select the custom certificate issued for the client computer.
3) Click Save.
To provide the certificate to the Helpdesk Site
1) Open the Helpdesk site by entering the following address: http(s):///PMHelpdesk, where is the name of the computer on which Helpdesk site is installed. The Helpdesk Site Initialization page will be displayed automatically if the Helpdesk site is opened for the first time.
2) From the Certificate name drop-down list, select the custom certificate issued for the client computer.
3) Click Save.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center