Installing Multiple Instances of Password Manager
Installing Multiple Instances of Password Manager
Several Password Manager instances sharing common configuration are referred to as a realm. A realm is a group of Password Manager Service instances sharing all settings and having the same set of Management Policies, that is, the same user and helpdesk scopes, Q&A policy, and workflow settings. Password Manager realms provide for enhanced availability and fault tolerance. For more information see Typical Deployment Scenarios.
|Caution: It is not recommended to edit Password Manager settings simultaneously on multiple instances belonging to one realm. Simultaneous modification of settings on multiple Password Manager instances may cause data loss.|
To create a Password Manager Realm
- Export a configuration file from the instance belonging to the target realm.
- To export instance settings to the configuration file, connect to the Administration site of the instance belonging to the target realm.
- On the menu bar, click General Settings, then click Import/Export.
- On the Import/Export Configuration Settings page, select the Export configuration settings option and enter the password to protect the configuration file. Click Export to save the configuration file.
|IMPORTANT: Remember the password that you provide for the configuration file. You should enter this password when importing the configuration file for a new instance you want to join to the target realm.|
- Install a new Password Manager instance by running Password Manager for AD LDS x86 or Password Manager for AD LDS x64 from the autorun window of the installation CD. For more information on the installation procedure, see Installing Multiple Instances of Password Manager.
- Open the Administration site by entering the following address: http(s)://<ComputerName>/PMAdminADLDS, where <ComputerName> is the name of the computer on which Password Manager is installed. On the Instance Initialization page, select the A Replica of an existing instance option.
- Click Upload to select the configuration file that you exported from the instance belonging to the target realm.
- Enter the password to the configuration file and click Save.
Specifying Custom Certificates for Authentication and Traffic EncryptionBetween Password Manager Service and Web Sites
Getting Started > Specifying Custom Certificates for Authentication and Traffic EncryptionBetween Password Manager Service and Web Sites
Specifying Custom Certificates for Authentication and Traffic Encryption
Between Password Manager Service and Web Sites
When the Password Manager Service is installed on one computer and the Self-Service and Helpdesk sites are installed on some other computers, certificate-based authentication and traffic encryption is used to protect traffic between these components.
By default, Password Manager uses built-in certificates issued by One Identity. However, you may want to install and use custom certificates issued by a trusted Windows-based certification authority.
This section provides instructions on how to start using custom certificates for authentication and traffic encryption between Password Manager components.
Complete the following steps:
- Obtain and install custom certificates from a trusted Windows-based certification authority.
- Provide certificate issued for a server computer to the Password Manager Service.
- Provide certificate issued for client computers to the Self-Service and Helpdesk sites.
Step 1: Obtain and Install Custom Certificates From a TrustedWindows-Based Certification Authority
Step 1: Obtain and Install Custom Certificates From a Trusted
Windows-Based Certification Authority
You must obtain two certificates from a trusted Windows-based certification authority: one for the computer running the Password Manager Service (server computer) and another for computers running the Self-Service or Helpdesk site (client computers).
When obtaining certificates, make sure that:
- The server computer can be accessed from the client computers by using the server certificate CN.
- Both is selected as a key usage in a certificate request.
- Enable strong private key protection option is NOT selected in a certificate request.
The following is a sample procedure describing how to obtain a certificate through the Windows 2012 Certificate Services Web interface.
|IMPORTANT: When obtaining a certificate for the server computer, perform the following procedure on a computer where the Password Manager Service runs and use the Password Manager Service account to run Internet Explorer.
When obtaining a certificate for the client computers, perform the following procedure on a computer running the Self-Service or Helpdesk site and use the Application Pool Identity account to run Internet Explorer.
To request a certificate using Windows 2012 Certificate Services Web Interface
- Use Internet Explorer to open https://servername/certsrv, where servername refers to the name of the Web server running Windows Server 2012 where the certification authority that you want to access is located.
- On the Welcome page, click Request a certificate.
- On the Request a Certificate page, click advanced certificate request.
- On the Advanced Certificate Request page, click Create and submit a certificate request to this CA.
- Provide identification information as required. In the Name text box, enter the name of the server for which you are requesting a certificate.
- In Type of Certificate Needed, select Server Authentication Certificate.
- In Key Options, select Create new key set, and specify the following options:
- In CSP (Cryptographic service provider), select Microsoft Enhanced RSA and AES Cryptographic Provider.
- In Key Usage, click Both.
- In Key Size, set 1024 or more.
- Select Automatic key container name.
- Select the Mark keys as exportable check box.
- Clear the Enable strong private key protection check box.
- In Additional Options, specify the following:
- In Request Format, select CMC.
- In Hash Algorithm, select sha256.
- Do not select the Save request check box.
- Specify attributes if necessary and a friendly name for your request.
- Click Submit.
- If you see the Certificate Issued Web page, click Install this certificate. If your request needs to be approved by your administrator first, wait for the approval and then go to the https://servername/certsrv, click View the status of a pending certificate request, and then install the issued certificate.
Step 2: Provide Certificate Issued for Server Computer toPassword Manager Service
Step 2: Provide Certificate Issued for Server Computer to
Password Manager Service
In this step, you provide the certificate issued for the server computer to the Password Manager Service by using the Administration site.
To provide the certificate to the Password Manager Service
- Open the Administration site by entering the following address: http(s)://<ComputerName>/PMAdminADLDS, where <ComputerName> is the name of the computer on which Password Manager is installed.
- Click General Settings|Instance Reinitialization. Under the Service connection settings, select the custom certificate issued for the server computer from the Certificate name drop-down list.
- Click Save.