Health check overview, Health check sections – HP Secure Key Manager User Manual
Page 172
Table 81 KMS Server Authentication Settings section components
Component
Description
User Directory
This field determines whether the KMS Server uses a local user and groups directory
for this device or a central LDAP server. You can only choose one user directory at a
time; if you choose LDAP, any local users or groups you define will be unavailable.
NOTE:
Selecting LDAP on a FIPS-compliant device will take the device out of FIPS
compliance - possibly in a manner that does not comply with FIPS standards.
For information on disabling FIPS compliance, see
Password
Authentication
This field determines whether you require users to provide a username and password
to access the KMS Server. Doing so effectively disables global sessions. You have
two choices for this field:
•
Optional – no password authentication is required; global sessions are allowed;
unauthenticated users can create global keys; all users can access global keys;
only authenticated users can create and access non–global keys.
•
Required – password authentication is required; global sessions are not allowed;
only non–global keys can be created; authenticated users can access global
and non–global keys.
Client Certificate
Authentication
You have three options for client certificate authentication:
•
Not used – clients do not have to provide a client certificate to authenticate to
the KMS Server.
•
Used for SSL session only – clients must provide a certificate signed by a CA
trusted by the SKM in order to establish an SSL connection. When you select this
option, you must also select a Trusted CA List Profile.
•
Used for SSL session and username – again, clients must provide a certificate
signed by a CA trusted by the SKM in order to establish an SSL session with
the KMS Server; additionally, a username is derived from the client certificate.
That username is the sole means of authentication if password authentication
is optional and the client does not provide a username and password. If the
client provides a username, the KMS Server compares the username derived
from the certificate against the username in the authentication request. If the
usernames are the same and the password is valid, the user is authenticated. If
the usernames are not the same, the connection is closed immediately. When
you select this option, you must also select a Trusted CA List Profile, and you must
choose the field from which the username is derived.
Trusted CA List Profile
This field allows you to select a profile to use to verify that client certificates are
signed by a CA trusted by the SKM. This option is only valid if you require clients to
provide a certificate to authenticate to the KMS Server. For more information, see
Trusted Certificate Authority List Profiles
. As delivered, the default Trusted CA List
profile contains no CAs. You must either add CAs to the default profile or create a
new profile and populate it with at least one trusted CA before the KMS Server can
authenticate client certificates.
Username Field in
Client Certificate
This option allows you to specify the certificate field from which the username is
derived. The username can be derived from the UID (user ID), CN (Common
Name), SN (Surname), E (Email address), E_ND (Email without domain), or OU
(Organizational Unit) field. When you select the E_ND option, the KMS Server
matches against the data to the left of the @ symbol in the E-mail address in the
certificate request. For example, if the certificate request contains the E-mail address
[email protected], then the KMS Server matches against User1.
Require Client
Certificate to Contain
Source IP
When this option is enabled, the KMS Server expects that the client certificate
presented by the client application has an IP address in the subjectAltName field.
The KMS Server obtains the IP address from the subjectAltName and compares that
to the source IP address of the client application; if the two IP addresses match, the
KMS Server authenticates the user. If the two IP addresses do not match, the KMS
Server closes the connection with the client.
Edit
Click Edit to modify the KMS Server authentication settings.
172
Using the Management Console