Enable secure communication, Microsoft active directory users, Users distinguished name – HP Systems Insight Manager User Manual
Page 111: Subject alternative name, Authentication phase, Authorization phase, Certificate revocation check
Enable secure communication
HP SIM ensures that the user certificate contained in the smart card is trusted by a valid and known
Certificate Authority (CA). It allows users to login to the CMS only if the certificate is trusted, and
is not expired or revoked by the CA issuer, and also it ensures that the user is a valid SIM user.
Microsoft Active Directory users
Two-factor authentication is not supported for local CMS users. It is supported only for domain
users which are configured in Microsoft Active Directory. HP SIM expects one user account to be
saved in HP SIM This account can be configured from the GUI by selecting
Options
→Security→Two-factor Authentication Configuration, or by using the command line interface
mxauthnconfig -a
. Refer to HP SIM Command Line Guide for more information.
Users Distinguished Name
It is important to save the Users distinguished name (DN) in HP SIM where all the certificate based
users are configured. HP SIM does not support multiple users distinguished names.
Subject Alternative Name
HP SIM expects all certificates to possess the Subject Alternative Name->Other name field which
contains the User Principal Name. This User Principal Name will map user's account in HP SIM.
Authentication phase
This phase involves validating the certificate for the following requirements:
•
If the certificate is trusted by a valid or known Certificate Authority (CA)
•
If the certificate is not expired and is still valid.
•
If the certificate is not revoked by the CA.
If any of these validations fail, an error will be reported to the user by the CMS.
Authorization phase
The authentication phase is followed by the authorization phase.
This phase involves authorizing the user to execute tasks in the CMS. This step verifies that the
authenticated user has a valid HP SIM user account.
Certificate revocation check
This is one of the pre-requisites to enable two-factor authentication.
Pre-requisites to enable two-factor authentication technique
•
A domain server account must be configured in HP SIM.
•
The users distinguished name must be configured in HP SIM.
•
The certificate revocation check must be configured in HP SIM. Please see section Certificate
expiration and Certificate Revocation Check (CLR Check) for more information.
•
The root and intermediate CA certificates associated with the user certificates must be imported
into HP SIM. This can be done by selecting Options
→Security→Credentials→Trusted
Systems
→Trusted Certificates.
•
Switch to two-factor authentication mode and restart CMS.
All users must possess certificates to login to HP SIM.
Administrators can still be able to access all CLIs (such as mxuser, mxnode, and so on) when HP
SIM runs on two-factor authentication mode.
Two-factor authentication
111