Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Deleting a certification authority

Deleting a certification authority

 

In the Certification Authorities area, select the certification authorities to remove and click the Delete button.

  • The certification authority is removed from the list of trusted CAs.

IMPORTANT: If the removed public key certificate contains a revocation information point of distribution, the associated CRL or the OCSP responder is NOT removed from EAM PKA: the revocation status of users’ certificates will still be updated by the EAM PKA revocation engine. However, the enrollment of a user’s certificate emitted by the removed certification authority will be denied.

Configuring the automatic update of the revocation information

IMPORTANT: You can use EAM PKA without checking the revocation status of users’ certificates. However, for obvious security reasons, this is strongly discouraged.

To perform the tasks described in this section, you must have the following administration role:

  • In classic administration mode: "Security object administrator".
  • In advanced administration mode, your role must contain the following administration rights: "PKA authority: "Creation/Modification", "PKA authority: Deletion".

In this section:

Importing a CRL point of distribution

Importing a CRL point of distribution

Subject

In most cases, the URL of a revocation information point of distribution is included in a public key certificate. When importing the public key certificate of a certification authority, EAM Console automatically imports the associated revocation information point of distribution.

However, in some cases, CA certificates do not use the same CRL than users’ certificates. It is then necessary to manually import the URL of CRLs that publish the revocation status of these users’ certificates.

Procedure

  1. In the Revocation Information area, select the Support CRL check box and click the Import button.
    • The importation window appears.

  2. Fill in the URL or filename field and click OK.

    NOTE: This version of EAM PKA supports HTTP (http://...), FTP (ftp://...) in addition to local files (file://...) as a valid protocol to collect CRLs. Future version may support alternative protocols such as LDAP.
    • If the provided URL is valid, the CRL is downloaded from the Internet through the configured HTTP proxy server if required (Use this HTTP proxy field).
  3. Once a CRL has been taken into account, you can perform its explicit update. For that purpose, select the CRL in the available list and click the Update button. The CRL is then immediately downloaded and verified.

Importing an OCSP responder

Importing an OCSP responder

Subject

In most cases, the URL of a revocation information point of distribution is included in a public key certificate. When importing the public key certificate of a certification authority, EAM Console automatically imports the associated revocation information point of distribution.

However, in some cases, CA certificates do not use the same OCSP responder than users’ certificates. It is then necessary to manually import the OCSP responders that publish the revocation status of these users’ certificates.

Procedure

  1. In the Revocation Information area, select the Support CRL check box and click the Import button.
    • The importation window appears.

  2. Enter in the URL or filename field the URL of the OCSP responder and select the Import URL as an OCSP responder check box.
    • The Certificate file field becomes available.
  3. Enter the path name of a valid public key certificate used by the OCSP responder server and click OK.
  4. Once an OCSP responder has been taken into account, you may need to update its public key certificate. For that purpose, select the OCSP responder in the list, click the Certificate button and select the DER-encoded or PEM-encoded file that contains the public key certificate used by the OCSP responder to sign its responses.
Related Documents