Ldap administrator server, Ldap administrator server and fips compliance – HP Secure Key Manager User Manual

Description

Components

The SSH Admin Server IP address is the IP address used to configure the SKM from the
CLI. You can select one specific IP address or all of the IP addresses bound to the SKM.

CAUTION:

We strongly recommend that you limit the SSH Admin Server IP to a specific IP
address. If you have four IP addresses bound to the SKM, and you select All instead
of a specific IP address, then the SKM listens for SSH Administration requests on
four different IP addresses; whereas, if you specify a single IP address, the SKM
listens for SSH Administration requests on only one IP address. This can greatly
reduce system vulnerability to outside attacks.

SSH Admin Server
IP

The SSH Administration Server Port specifies the port on which the server listens for re-
quests. The default port is 22.

SSH Admin Server
Port

Click Edit to modify the remote administrator settings.

Edit

Click Recreate Web Cert to generate a new certificate for the remote administration
Management Console. After you click Recreate Web Cert, you are presented with an
intermediate page that allows you to specify the duration of the Web Admin Certificate.
After you specify a value in days, click Create. You must close all browser windows and
restart the browser to reconnect to the Management Console.

Recreate Web Cert

Click Recreate SSH Key to generate a new key for remote administration use via SSH.
Recreating the key closes all active SSH connections.

Recreate SSH Key

LDAP Administrator Server

You configure LDAP servers for administrators separately from LDAP servers for users. This allows for
greater flexibility, and simplifies cluster replication, since administrators and users are separately
replicated.

An LDAP account cannot be designated as an administrator if there is already a local administrator
account with the same username. Likewise, a local account cannot be created or renamed with the
same username as an LDAP account which has been designated as an administrator.

NOTE:

LDAP administrators cannot modify LDAP administrator server settings.

LDAP Administrator server and FIPS compliance

If an LDAP Administrator Server is configured, the SKM appliance cannot be in FIPS compliance. On
a FIPS-compliant SKM appliance, configuring the LDAP Administrator Server will take the SKM
appliance out of FIPS compliance. When you try to edit the LDAP Administrator Server on a
FIPS-compliant SKM appliance, the Management Console displays a warning that configuring the
LDAP Administrator Server will take the SKM appliance out of FIPS compliance.

If the device is not in FIPS compliance because an LDAP Administrator Server is currently configured,
clicking “Set FIPS Compliant” on the High Security Configuration page will result in an error. The
LDAP Administrator Server settings must be cleared manually before the device can become
FIPS-compliant.

Using the Management Console

238