Multiple credentials overview, Operations requiring multiple authentication – HP Secure Key Manager User Manual

NOTE:

Changes made to this section (with the exception of the Password Expiration feature) apply to passwords

created after the changes are saved. For example, if all administrator passwords are 8 characters long,

and you change the minimum password length to 12 characters, the administrators do not have to

immediately change their passwords. Rather, the next time your administrators change their passwords,

they must comply with the new rules.

Multiple Credentials overview

If your configuration of the SKM includes multiple administrators, you can stipulate that some

administrative and key management operations require authorization from more than one administrator.

The multiple credentials feature provides an additional layer of security by protecting your high-level

functions.
You can predetermine the number of administrators required to confirm certain operations, let

administrators give their credentials to one another for a set period of time, and enable multiple

credentials functionality within a clustered environment.

Operations requiring multiple authentication

When the feature is enabled, the following operations require multiple authentication:

•

Disable Multiple Authorization

•

Create/Edit/Delete/Import Keys

•

Edit a key’s owner, delete, and export properties

•

Add/Edit/Delete key group permissions

•

Create/Edit/Delete users

•

Create/Edit/Delete groups

•

Add/Remove users from a group

•

Create/Edit/Delete authorization policies

•

Modify LDAP server settings

•

Create/Edit/Delete administrators

•

Restore backups

•

Rollback system

Any request for these operations, from either the Management Console or the CLI, results in a request for

additional administrator accounts and passwords. The operation only continues when those credentials

are supplied. Otherwise, an error message appears.

Granting credentials

Administrators can grant their credentials to another administrator for a specific period of time. This

allows one administrator to execute several operations without having to enter multiple credentials for

each request. The granting administrator can specify:

•

The grantee

•

The length of the grant

•

The permitted operations

Credentials are granted for a particular administrator account, not a session. This lets an administrator

grant credentials from a different computer.

Secure Key Manager

211