HP Secure Key Manager User Manual

Page 188

Advertising
background image

Figure 101 Viewing the KMS Server Authentication Settings section

The following table describes the elements of the KMS Server Authentication Settings section.

Table 82 KMS Server Authentication Settings section components

Description

Component

This field determines whether the KMS Server uses a local user and groups directory
for this device or a central LDAP server. You can only choose one user directory at a
time; if you choose LDAP, any local users or groups you define will be unavailable.

NOTE:

Selecting LDAP on a FIPS-compliant device will take the device out of FIPS
compliance - possibly in a manner that does not comply with FIPS standards.
For information on disabling FIPS compliance, see

FIPS Compliance

.

User Directory

This field determines whether you require users to provide a username and password
to access the KMS Server. Doing so effectively disables global sessions. You have
two choices for this field:

Optional – no password authentication is required; global sessions are allowed;
unauthenticated users can create global keys; all users can access global keys;
only authenticated users can create and access non–global keys.

Required – password authentication is required; global sessions are not allowed;
only non–global keys can be created; authenticated users can access global and
non–global keys.

Password Authentica-
tion

You have three options for client certificate authentication:

Not used – clients do not have to provide a client certificate to authenticate to the
KMS Server.

Used for SSL session only – clients must provide a certificate signed by a CA
trusted by the SKM in order to establish an SSL connection. When you select this
option, you must also select a Trusted CA List Profile.

Used for SSL session and username – again, clients must provide a certificate
signed by a CA trusted by the SKM in order to establish an SSL session with the
KMS Server; additionally, a username is derived from the client certificate. That
username is the sole means of authentication if password authentication is optional
and the client does not provide a username and password. If the client provides
a username, the KMS Server compares the username derived from the certificate
against the username in the authentication request. If the usernames are the same
and the password is valid, the user is authenticated. If the usernames are not the
same, the connection is closed immediately. When you select this option, you must
also select a Trusted CA List Profile, and you must choose the field from which the
username is derived.

Client Certificate Au-
thentication

Using the Management Console

188

Advertising
Popular Brands
Popular manuals