Multiple credentials sections – HP Secure Key Manager User Manual
Page 212
NOTE:
Credential grants cannot be inherited. One administrator can grant only their credentials to one other
administrator.
An administrator can grant credentials for the following operations:
•
Add/Modify keys
•
Delete keys
•
Add/Modify users and groups
•
Delete users and groups
•
Affect authorization policies
•
Modify LDAP settings for users and groups
Administrators that are not normally permitted to execute any of these operations cannot grant credentials
for them; those options are unavailable. Credentials cannot be granted for those operations not listed.
NOTE:
Granting a credential does not affect that administrator’s access control privileges. For example, if an
administrator does not have the access control for Keys and Authorization Policies configuration, that
administrator will never be able to create a key, even if another administrator grants credentials to
the first administrator.
IMPORTANT:
If an administrator changes the SKM’s system time or reboots it, all temporary administrator credentials
immediately expire.
NOTE:
If the SKM is configured to use NTP, modifications to the NTP system time can extend the life span of
a granted credential.
NOTE:
Granted credentials are not included in backups.
Multiple credentials in clusters
To implement multiple credentials on SKMs within a cluster, you must adhere to the following guidelines:
•
All devices within the cluster must have the multiple credentials feature enabled. The feature can
be enabled on one device and replicated to the others.
•
For each device within the cluster, the number of administrators with High Access Administrator
access control must be greater than or equal to the number of administrators required to authorize
an operation. If not, the feature is not be enabled.
To add a new device to a cluster with multiple credentials enabled:
1.
Make sure that the new device has the correct number of administrators with High Access
Administrator access control.
2.
Disable the multiple credentials feature for the cluster by disabling the feature for one device within
the cluster. This action requires confirmation from multiple administrators.
3.
Add the new device to the cluster. For information on adding a device to a cluster, refer to
212
Using the Management Console