Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Activating the PKA authentication method

Activating the PKA authentication method

Procedure
  1. In EAM Console File menu, click Configuration, and in the displayed window select the Public Key Authentication tab.

    NOTE: The Public Key Authentication tab only appears upon a successful extension of the EAM directory and a successful creation of the default objects. For more information, see One Identity EAM Installation Guide.
  2. Select the Users can authenticate using a public key Certificate check box. Any valid certificate (…) to authenticate users.
    • This check box enables all the other options of the tabbed panel.
  3. Select the Users can enroll their public key Certificate check box. Any valid certificate (…) may be enrolled.

    NOTE: It is mandatory to select this check box with this version of EAM.
  4. If you do not want that users provide their password at enrollment time if the certificate is valid, select the Upon enrolment of a new certificate, reinitialize the user's password if the current password cannot be recovered check box.

    With this option, if the user password is wrong or unknown at PKA authentication:

    • If the Primary password is stored as an SSO account, encrypt by check box is selected in the user security profile, the option is used: see Section Authentication Tab for more details.
    • If the password is not recovered or incorrect, a PKA signed request is sent to the controller to reset the password in the directory. The reset password matches the automatic PFCP (Password Format Control Policy) of the user security profile.

  5. You must then configure the set of authorized certification authorities by filling in the Certification Authorities area, according to the following descriptions.

Configuring the set of authorized certification authorities

Only public key certificates issued by explicitly identified certification authorities can be used for EAM PKA. It is therefore necessary to configure the set of authorized certification authorities.

You can import certification authorities using different methods, as described in the following sub-sections. You can combine these methods.

In this section:

Importing certification authorities from PEM or DER encoded files

Importing certification authorities from PEM or DER encoded files

Procedure

  1. In the Certification Authorities area, click the Import button, and use the displayed window to select a CA certificate from a DER-encoded (*.cer or *.crt) or a PEM encoded (*.pem) file.
    • A summary window appears.

  2. To view the detailed contents of the certificate, click Details.
  3. To confirm the activation of the certification authority as a permitted emitter of users’ public key certificate for EAM PKA, click the Import button.
    • The imported certification authority appears.

      NOTE: If the imported CA certificate contains the URL of a point of distribution of certification revocation information (available in the form of a CRL or an OCSP responder), the creation of the certification authority in the EAM directory also creates an object corresponding to each point of distribution (this is the case in our example).

Importing certification authorities from the Windows system storage

  1. In the Certification Authorities area, select the Import Certification Authorities from Windows system storage check box and click the Import button.
    • The certificate selection window appears.

  2. Select the certificate from the list.
  3. To display the detailed contents of the certificate, click the View Certificate button. Then, click the OK button to resume the import of the certificate.

 

Related Documents