Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Managing protection modes

Managing protection modes

In this section:

Displaying the current protection mode

Displaying the current protection mode

Subject

EAM Console allows you to display the current protection mode.

Procedure

In EAM Console, click File\Protection mode.

  • The protection mode management window appears and displays the protection mode in use. The following window shows an example of software protection mode.

Migrating from software protection mode to hardware protection mode

Subject

If you migrate from software to hardware protection mode, the administration keys will be protected by smart cards only; you will no longer be able to logon to EAM Console without smart card.

In hardware protection mode:

  • The administration keys are protected by the Security Module.
  • The Security Module or a smart card is required to start EAM Console.
  • The password reset server (Self Service Password Request server) is configured to use smart card authentication.
Before starting
  • You must be a primary administrator to perform this task.
  • Make sure all administrators possess smart cards that grants administration rights.
  • Make sure you have an EAM Security Module smart card and the administration pass-phrase that is currently protecting the security database.
  • If you use the EAM password reset server (Self Service Password Request server), make sure it is configured to use smart card authentication. For more information, see One Identity EAM Installation Guide.

Procedure

  1. Display the current protection mode, as detailed in Section Displaying the current protection mode .
  2. In the Migration tab, click the Migrate to hardware protection mode button.
    • The change protection mode window appears, asking you to insert the Security Module, its associated PIN and the administration pass-phrase.
  3. Follow the displayed instructions and enter the required information, and click OK.
    • A confirmation window appears.
  1. Click OK.
    • You are now working in hardware protection mode.

 

Managing administrators whose administration keys are protected by password

Subject

The migration from software to hardware protection mode does not delete all copies of the administration keys from the directory. The directory contains an encrypted copy of one or both of the following administration keys:

  • SSO Recovery: key pair that protects the copy of the owner's SSO recoverable key in the directory.
  • Token Administration: key pair that protects smart card administration data in the directory.

    This section explains how to display and manage the administrators who have copies of these administration keys.

Before starting

You must be a primary administrator to delete copies of an administration key.

Procedure

  1. Display the current protection mode, as detailed in Section Displaying the current protection mode .
  2. Click the Software Mode Keys tab.
    • The tab lists the names of the administrators who have copies (stored in the directory) of administration keys.

  1. To delete copies of administration keys, select the wanted line(s) and click the Delete Keys button.

    The copies of the administration keys ciphered by the recoverable keys of the selected administrators are deleted from the directory.

Related Documents