You can allow users to automatically renew their public key certificates stored on their smart cards. Renewal of public key certificates on a Windows workstation is described in the following web page: http://msdn.microsoft.com/en-us/library/ms867026.aspx#certenroll_topic8.
When a public key certificate is about to expire, Authentication Manager displays the serial number and expiration time of the user's certificate and asks for his/her PIN to renew the certificate.
The automatic renewal of the public key certificate is only:
The workstations must belong to an EAM domain.
Procedure
Here is an example of the XML section to edit (parts to modify are in bold):
<?xml version="1.0" encoding="ISO-8859-1" ?>
<token_class id="CYBERFLEX" display_name="CyberFlex PKCS#11">
<class_config id="Win2K-IK" display_name="Windows Smartlogon Compatible">
<data_structure>
<certificate interface="MSCAPI" id="0x0101">
<cert_request_mode>request</cert_request_mode>
<cert_set_as_default>yes</cert_set_as_default>
<cert_ca_name>haddock.qaesso.frcl.bull.fr\ca-qaesso</cert_ca_name>
<cert_template>SmartcardUser5j</cert_template>
</certificate>
<module id="0x0101" display_name="Renewal smartcarduser">
<keyref>0x0101</keyref>
<certref>0x0101</certref>
</module>
</data_structure>
</class_config>
</token_class>
Task to perform |
In classic administration mode, you must have: |
In advanced administration mode, you must have: |
Formatting smart cards |
"Smart card administrator" |
"Token: Formatting" |
Assigning a batch of smart cards to many users |
"Smart card administrator" |
"Token: Assignment" |
Assigning a smart card to a user |
"Smart card administrator" and at least "Security object administrator" or "access" or "rights" |
"Token: Assignment" and "Directory: Browsing". |
In this section:
This section describes the methods to assign batches of cards and single cards. The first method is performed in the Smart Card panel and the second method is performed in the Directory panel.
|
NOTE: You must have as many blank smart cards as the number of users requiring smart cards and at least two smart card readers. |
Procedure
Assigning a batch of smart cards to many users |
Assigning a smart card to a user | ||
|
|
These configurations generate a card compatible with EAM software modules.
|
IMPORTANT:
|
|
NOTE: You cannot apply this template using the Windows Remote Desktop feature. |
|
NOTE: It is also possible to create customized configurations. Contact your One Identityrepresentative for further information. |
Tabs of the assignment windows |
Description | ||
|
This tab applies to any type of cards. You must complete only the parts related with the PIN management and the card expiration management.
| ||
|
This tab applies to any type of cards. Select the first check box to store the user's password on the card, and select the second check box to force a new password in the directory. | ||
|
This tab applies to any type of cards. You can delegate administration rights upon an assignment to a user registered in the directory. For more information on administration rights, see Section Managing administrators. | ||
|
This tab applies to Windows Smartlogon Compatible cards. Select the check boxes corresponding to the certificates to be generated during the assignment. For more information, see Section Managing smart card certificates. | ||
|
This tab applies to any type of cards. It summarizes the modules to which you can have access with this card. It is for information purposes. |
|
NOTE: Repeat Steps 4, 5 and 6 for each selected user when you use the batch assignment method. |
EAM allows you to assign smart cards managed outside the solution, using an external content management system. You must complete the assignment configuration window as detailed below:
Tabs of the assignment windows |
Description | ||
In the above example window:
|
Select the Protect user's password with token check box if you want to store the user’s directory password for this smart card. Select the Force a new password check box if you want to automatically generate a new random password for that user. This prevents the user from using the password. The Identification attributes of the user area is used to identify the owner of the smart card: in order to automatically identify the owner of the smart card, EAM uses an attribute mapping between the content of the user’s certificate found in the card and in the directory. The values of both attributes must match to retrieve the owner of the card during authentication. | ||
|
This tab allows you to provide the unblocking code (PUK) of the user’s smart card. |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy