Enable secure communication, Directory structure users, Users distinguished name – HP Systems Insight Manager User Manual

Enable secure communication

HP SIM ensures that the user certificate contained in the smart card is trusted by a valid and known
Certificate Authority (CA). It allows users to login to the CMS only if the certificate is trusted, and
is not expired or revoked by the CA issuer, and also it ensures that the user is a valid SIM user.

Directory structure users

Two-factor authentication is not supported for local CMS users. It is supported for domain users
which are configured in Microsoft Active Directory or any other directory service; for example,
Apache directory, and so on. HP SIM expects one user account to be saved in HP SIM This account
can be configured from the GUI by selecting Options

→Security→Two-factor Authentication

Configuration, or by using the command line interface mxauthnconfig -a. Refer to HP SIM
Command Line Guide for more information.

Users Distinguished Name

It is important to save the Users distinguished name (DN) in HP SIM where all the certificate based
users are configured. HP SIM does not support multiple users distinguished names. User Name
Attribute should be supplied with a field that is unique in directory structure and can be used to
uniquely create a user in HP SIM. This can be sAMAccountName in the case of Active Directory,
or any unique field, such as UID/ID/email/empID in the case of open directories.

Subject Alternative Name

HP SIM expects all certificates to possess the Subject Alternative Name->Other name field which
contains the User Principal Name. This User Principal Name will map user's account in HP SIM.

Authentication phase

This phase involves validating the certificate for the following requirements:

•

If the certificate is trusted by a valid or known Certificate Authority (CA)

•

If the certificate is not expired and is still valid.

•

If the certificate is not revoked by the CA.

If any of these validations fail, an error will be reported to the user by the CMS.

Authorization phase

The authentication phase is followed by the authorization phase.

This phase involves authorizing the user to execute tasks in the CMS. This step verifies that the
authenticated user has a valid HP SIM user account.

Certificate revocation check

This is one of the pre-requisites to enable two-factor authentication.

Pre-requisites to enable two-factor authentication technique

•

A domain server account must be configured in HP SIM.

•

The users distinguished name must be configured in HP SIM.

•

The certificate revocation check must be configured in HP SIM. Please see

“Certificate expiration

and Certificate Revocation Check (CRL Check)” (page 102)

) for more information.

•

The root and intermediate CA certificates associated with the user certificates must be imported
into HP SIM. This can be done by selecting Options

→Security→Credentials→Trusted

Systems

→Trusted Certificates.

•

Switch to two-factor authentication mode and restart CMS.

All users must possess certificates to login to HP SIM.

Two-factor authentication

117