Step 1: Obtain and Install Custom Certificates From a TrustedWindows-Based Certification Authority
Step 1: Obtain and Install Custom Certificates From a Trusted
Windows-Based Certification Authority
You must obtain two certificates from a trusted Windows-based certification authority: one for the computer running the Password Manager Service (server computer) and another for computers running the Self-Service or Helpdesk site (client computers).
When obtaining certificates, make sure that:
- The server computer can be accessed from the client computers by using the server certificate CN.
- Both is selected as a key usage in a certificate request.
- Enable strong private key protection option is NOT selected in a certificate request.
The following is a sample procedure describing how to obtain a certificate through the Windows 2012 Certificate Services Web interface.
|
IMPORTANT: When obtaining a certificate for the server computer, perform the following procedure on a computer where the Password Manager Service runs and use the Password Manager Service account to run Internet Explorer.
When obtaining a certificate for the client computers, perform the following procedure on a computer running the Self-Service or Helpdesk site and use the Application Pool Identity account to run Internet Explorer. |
To request a certificate using Windows 2012 Certificate Services Web Interface
- Use Internet Explorer to open https://servername/certsrv, where servername refers to the name of the Web server running Windows Server 2012 where the certification authority that you want to access is located.
- On the Welcome page, click Request a certificate.
- On the Request a Certificate page, click advanced certificate request.
- On the Advanced Certificate Request page, click Create and submit a certificate request to this CA.
- Provide identification information as required. In the Name text box, enter the name of the server for which you are requesting a certificate.
- In Type of Certificate Needed, select Server Authentication Certificate.
- In Key Options, select Create new key set, and specify the following options:
- In CSP (Cryptographic service provider), select Microsoft Enhanced RSA and AES Cryptographic Provider.
- In Key Usage, click Both.
- In Key Size, set 1024 or more.
- Select Automatic key container name.
- Select the Mark keys as exportable check box.
- Clear the Enable strong private key protection check box.
- In Additional Options, specify the following:
- In Request Format, select CMC.
- In Hash Algorithm, select sha256.
- Do not select the Save request check box.
- Specify attributes if necessary and a friendly name for your request.
- Click Submit.
- If you see the Certificate Issued Web page, click Install this certificate. If your request needs to be approved by your administrator first, wait for the approval and then go to the https://servername/certsrv, click View the status of a pending certificate request, and then install the issued certificate.
Step 2: Provide Certificate Issued for Server Computer toPassword Manager Service
Step 2: Provide Certificate Issued for Server Computer to
Password Manager Service
In this step, you provide the certificate issued for the server computer to the Password Manager Service by using the Administration site.
To provide the certificate to the Password Manager Service
- Open the Administration site by entering the following address: http(s)://<ComputerName>/PMAdminADLDS, where <ComputerName> is the name of the computer on which Password Manager is installed.
- Click General Settings|Instance Reinitialization. Under the Service connection settings, select the custom certificate issued for the server computer from the Certificate name drop-down list.
- Click Save.
Step 3: Provide Certificate Issued for Client Computers toSelf-Service and Helpdesk Sites
Step 3: Provide Certificate Issued for Client Computers to
Legacy Self-Service, Password Manager Self-Service, and Helpdesk Sites
In this step, you provide the certificate issued for the client computers to the Self-Service and Helpdesk sites installed separately from the Password Manager Service.
To provide the certificate to the Legacy Self-Service Site and Password Manager Self-Service site
- Open the Self-Service site by entering the following address: http(s)://<ComputerName>/PMUserADLDS, where <ComputerName> is the name of the computer on which Self-Service site is installed. The Self-Service Site Initialization page will be displayed automatically if the Self-Service site is opened for the first time.
- From the Certificate name drop-down list, select the custom certificate issued for the client computer.
- Click Save.
To provide the certificate to the Helpdesk Site
- Open the Helpdesk site by entering the following address: http(s)://<ComputerName>/PMHelpdeskADLDS, where <ComputerName> is the name of the computer on which Helpdesk site is installed. The Helpdesk Site Initialization page will be displayed automatically if the Helpdesk site is opened for the first time.
- From the Certificate name drop-down list, select the custom certificate issued for the client computer.
- Click Save.
Upgrading Password Manager
Upgrading Password Manager
Upgrading Password Manager
This section briefs about the process to upgrade Password Manager to the latest version (5.10.1).
|
NOTE:
- It is recommended to back up the current configuration by exporting the settings from 5.7.1 or later versions. For more information, see To export configuration settings from Password Manager for AD LDS 5.7.1 or later versions to 5.10.1.
- Running the Migration Wizard is not required while upgrading from Password Manager 5.7.1 or later versions to 5.10.1.
-
If you want to upgrade to 5.10.1, it is recommended to reinstall the license file from the Administration site once the upgrade is complete. Before installing the license, delete the existing SoftLicense binary value from [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Quest Software] registry key.
- Any workflows that are customized in the previous versions of Password Manager should be manually merged with the workflow of the latest version of the Password Manager to avoid any end user data corruption.
For example, changes made to the Register workflow (Self-Service workflows) such as addition/update of any authentication steps to the default configuration, should be manually recreated after upgrade to PM 5.10.1.
-
To update storage files with new encryption mechanism, all realm instances must be updated with the Password Manager 5.10.1 configuration and must have the same encryption key.
To perform the same, login to PMAdmin site from the primary server, Navigate to General Settings > Import/Export > Export. Copy and Save the password securely. Import this configuration data in all the PM secondary replication instances by selecting the exported configuration data and providing the password.
-
If the secondary instances are not updated with new configuration, a notification will be displayed in Administration site as 'Import configuration settings from primary instance”.
In the replication instances, Navigate to General Settings > Import/Export > Import, select the exported data from the primary server and input the password saved.
-
Shared.storage file will be encrypted and copied to Active Directory only when all replication instances are updated with Password Manager 5.10.1 configuration and encryption key.
-
When all the realm instances are updated with Password Manager 5.10.1, Q&A profiles of users will be updated with new encryption key when one of the following is performed:
|
This section consists of the following topics:
To export configuration settings from Password Manager for AD LDS 5.7.1 or later versions to 5.10.1
-
Connect to the Administration site by typing the Administration site URL in the address bar of your Web browser. By default, the URL is http://<ComputerName>/PMAdminADLDS/.
|
NOTE: When prompted to log in, provide your domain user name in a domainname\username format. |
- On the left pane, click General > Settings, and click the Import/Export tab and select the Export configuration settings option, and then click Export.
After you have exported configuration settings from Password Manager 5.10.1 or later versions, you can uninstall it.
To uninstall Password Manager for AD LDS 5.7.1 or later versions
- Click Start, click Run, type
appwiz.cpl
, and then press ENTER.
- Select One Identity Password Manager for AD LDS x86/x64 in the list, and then click Uninstall.
After you uninstall Password Manager 5.7.1 or later versions, install Password Manager 5.10.1 on the same computer. All configuration settings will be automatically detected by the new version.