Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Enabling the automatic renewal of smart card certificates

Enabling the automatic renewal of smart card certificates

Subject

You can allow users to automatically renew their public key certificates stored on their smart cards. Renewal of public key certificates on a Windows workstation is described in the following web page: http://msdn.microsoft.com/en-us/library/ms867026.aspx#certenroll_topic8.

When a public key certificate is about to expire, Authentication Manager displays the serial number and expiration time of the user's certificate and asks for his/her PIN to renew the certificate.

Restrictions

The automatic renewal of the public key certificate is only:

  • Available upon a successful smart card authentication.
  • Supported for X.509 certificates issued by Microsoft Certificate Services.
  • Compatible only with Windows Smartlogon cards.
Before starting

The workstations must belong to an EAM domain.

Procedure

  1. Set the following registry keys locally or through a GPO:
    • AdvancedLogin\CertificateWarningAll (REG_DWORD) = 1: Authentication Manager retrieves the expiration date of the user’s certificate stored on the smart card.
    • AdvancedLogin\CertificateWarningDays (REG_DWORD): sets the number of days before Authentication Manager displays a message to the user indicating the time remaining before the expiration of his/her smart card certificate.
    • AdvancedLogin\CertificateAutomaticRenewal (REG_DWORD) = 1: activates the automatic renewal of the user's certificate.
  2. In the TokenManagerStructure.xml configuration file, available in the DRIVERS folder of the E-SSO installation package, set the following names:
    • Name of the issuing certification authority.
    • Name of the certificate template.

    Here is an example of the XML section to edit (parts to modify are in bold):

    <?xml version="1.0" encoding="ISO-8859-1" ?>

    <token_class id="CYBERFLEX" display_name="CyberFlex PKCS#11">

    <class_config id="Win2K-IK" display_name="Windows Smartlogon Compatible">

    <data_structure>

    <certificate interface="MSCAPI" id="0x0101">

    <cert_request_mode>request</cert_request_mode>

    <cert_set_as_default>yes</cert_set_as_default>

    <cert_ca_name>haddock.qaesso.frcl.bull.fr\ca-qaesso</cert_ca_name>

    <cert_template>SmartcardUser5j</cert_template>

    </certificate>

    <module id="0x0101" display_name="Renewal smartcarduser">

    <keyref>0x0101</keyref>

    <certref>0x0101</certref>

    </module>

    </data_structure>

    </class_config>

    </token_class>

    • Upon a successful renewal of the user's public key certificate, the renewed certificate is added to the user's smart card. The existing public key certificate is not deleted from the smart card.

 

Assigning smart cards (except loan cards)

Assigning smart cards (except loan cards)

 

Task to perform

In classic administration mode, you must have:

In advanced administration mode, you must have:

Formatting smart cards

"Smart card administrator"

"Token: Formatting"

Assigning a batch of smart cards to many users

"Smart card administrator"

"Token: Assignment"

Assigning a smart card to a user

"Smart card administrator" and at least "Security object administrator" or "access" or "rights"

"Token: Assignment" and "Directory: Browsing".

In this section:

Assigning smart cards

Assigning smart cards

Subject

This section describes the methods to assign batches of cards and single cards. The first method is performed in the Smart Card panel and the second method is performed in the Directory panel.

NOTE: You must have as many blank smart cards as the number of users requiring smart cards and at least two smart card readers.

Procedure

Assigning a batch of smart cards to many users

Assigning a smart card to a user

  1. In the Smart Card panel, click the button located in the tool bar.
    • The assigning window appears.
  2. Click the Add button and in the displayed window, select the wanted users.
    Use the Browse tab to browse the directory tree structure or use the Search tab to find the user according to its name.

    NOTE: you can select an organizational unit to add all the users registered in this unit.
    • The users appears in the Selected users area.
  3. Click Assign.
  1. In the tree structure of the Directory panel, click the user for which you want to assign a smart card.
  2. Click the Smart Card tab.
  3. Click the Assign button.
  • The assigning window appears.

  1. Insert the smart card of the user in the reader and complete this window:
    • In the Smart card area, select the smart card to assign.
    • In the Configuration area, select one of the predefined templates:
      • Authentication Manager
      • Authentication Manager – SmartCard Storage

      These configurations generate a card compatible with EAM software modules.

    IMPORTANT:

    • It is mandatory to select this card template if you want to store user authentication data on a card.
    • You are advised to select this card template if the card is only used with EAM software modules, and if certificates are not used.
    • Windows Smartlogon Compatible: this template generates a card which supports the standard Windows authentication. It manages a single certificate, which is the smart card authentication certificate. However, it is not compatible with the two Authentication Manager authentication types.

      NOTE: You cannot apply this template using the Windows Remote Desktop feature.
    • Biometrics Store-On-Card: this template generates a card that can include biometrics data.

      NOTE: It is also possible to create customized configurations. Contact your One Identityrepresentative for further information.
  2. Click OK.
    • The assignment configuration window appears.
  3. Complete the different tabs according to your choice and the card type and click OK.
    • The smart card is customized and assigned to the user when you complete the window tabs as described below:

      Tabs of the assignment windows

      Description

      This tab applies to any type of cards. You must complete only the parts related with the PIN management and the card expiration management.

      NOTE: the Loan card management part is described in Managing loan cards.

      This tab applies to any type of cards. Select the first check box to store the user's password on the card, and select the second check box to force a new password in the directory.

      This tab applies to any type of cards. You can delegate administration rights upon an assignment to a user registered in the directory. For more information on administration rights, see Section Managing administrators.

      This tab applies to Windows Smartlogon Compatible cards. Select the check boxes corresponding to the certificates to be generated during the assignment. For more information, see Section Managing smart card certificates.

      This tab applies to any type of cards. It summarizes the modules to which you can have access with this card. It is for information purposes.

      NOTE: Repeat Steps 4, 5 and 6 for each selected user when you use the batch assignment method.

Assigning a smart card managed by an external CMS

Assigning a smart card managed by an external CMS

EAM allows you to assign smart cards managed outside the solution, using an external content management system. You must complete the assignment configuration window as detailed below:

 

Tabs of the assignment windows

Description

IMPORTANT: the technical account used to assign smart cards managed from an external CMS must have the right to modify the employeeNumber attribute in the directory.

In the above example window:

  • The employeeNumber field (directory attribute) displays the new value of this attribute. The new value is obtained from the user's certificate found in the card.
  • The Current value field displays the current value of this user attribute in the directory.

Select the Protect user's password with token check box if you want to store the user’s directory password for this smart card.

Select the Force a new password check box if you want to automatically generate a new random password for that user. This prevents the user from using the password.

The Identification attributes of the user area is used to identify the owner of the smart card: in order to automatically identify the owner of the smart card, EAM uses an attribute mapping between the content of the user’s certificate found in the card and in the directory. The values of both attributes must match to retrieve the owner of the card during authentication.

This tab allows you to provide the unblocking code (PUK) of the user’s smart card.

Related Documents