Ldap administrators, Ldap administrative server, 223 ldap administrative server – HP Secure Key Manager User Manual
Page 223
WARNING!
It is absolutely crucial that you remember the passwords for all of your local administrators. For
security reasons, there is no way to reset a local administrator’s password without logging into the
SKM appliance as a High Access Administrator. If you lose or forget the passwords for all administrator
accounts, you cannot configure the SKM appliance, and you must ship it back to have the software
reinstalled. All keys and configuration data will be unrecoverable.
When a local administrator logs in to the CLI or the Management Console, the SKM appliance
authenticates the username and password with the values stored securely on the SKM appliance. If
the authentication succeeds, the administrator will be logged in to the SKM appliance.
High Access Administrators can change the password of any local administrator. (Such an event is
recorded in the Audit Log.) If one administrator changes the password of another administrator, the
administrator whose password changed is prompted to change his or her password immediately after
logging in (with the new password) to the SKM. After changing the password, the administrator
continues to the Management Console or the command prompt as usual.
LDAP administrators
LDAP administrators are based on user accounts managed on an LDAP server. The LDAP server is
external to the SKM environment; the SKM does not store any information on the LDAP server.
One of the main benefits of using LDAP administrators is that you can centralize your administrator
account management. If you already have an LDAP server set up, you do not have to configure local
administrators.
LDAP administrator usernames can contain letters, numbers, spaces, and punctuation characters, and
they can be up to 64 characters long.
Password management is controlled by the LDAP server, not the SKM. You use the LDAP server to
configure your policies and store the passwords. LDAP administrators cannot change their passwords
using the SKM. The configurable password settings, password history, and password expiration
features on the SKM do not apply to LDAP administrators.
IMPORTANT:
Resetting forgotten passwords may be possible on your LDAP server. This can be both a benefit and
a security risk. If all of your administrator passwords are forgotten, you may be able to use your LDAP
server to reset an LDAP administrator password. Otherwise, it will be impossible to log into the device.
However, this ability could also be used to hijack an LDAP administrator account.
When an LDAP administrator logs in to the CLI or the Management Console, the SKM connects to the
LDAP server to authenticate the username and password. If the authentication succeeds, the
administrator will be logged in to the appliance.
LDAP administrative server
In order to create an LDAP administrator, you must first configure the LDAP Administrator Server
settings. These settings define an external LDAP server containing the list of users that can be designated
as LDAP administrators. When creating an LDAP administrator on the SKM, you will choose the LDAP
administrator from this list of users.
Secure Key Manager
223