beautypg.com

Ldap administrators, Ldap administrative server – HP Secure Key Manager User Manual

Page 203

background image

WARNING!

It is absolutely crucial that you remember the passwords for all of your local administrators. For security

reasons, there is no way to reset a local administrator’s password without logging into the SKM appliance

as a High Access Administrator. If you lose or forget the passwords for all administrator accounts, you

cannot configure the SKM appliance, and you must ship it back to have the software reinstalled. All keys

and configuration data will be unrecoverable.

When a local administrator logs in to the CLI or the Management Console, the SKM appliance

authenticates the username and password with the values stored securely on the SKM appliance. If the

authentication succeeds, the administrator will be logged in to the SKM appliance.
High Access Administrators can change the password of any local administrator. (Such an event is

recorded in the Audit Log.) If one administrator changes the password of another administrator, the

administrator whose password changed is prompted to change his or her password immediately after

logging in (with the new password) to the SKM. After changing the password, the administrator continues

to the Management Console or the command prompt as usual.

LDAP administrators

LDAP administrators are based on user accounts managed on an LDAP server. The LDAP server is external

to the SKM environment; the SKM does not store any information on the LDAP server.
One of the main benefits of using LDAP administrators is that you can centralize your administrator

account management. If you already have an LDAP server set up, you do not have to configure local

administrators.
LDAP administrator usernames can contain letters, numbers, spaces, and punctuation characters, and

they can be up to 64 characters long.
Password management is controlled by the LDAP server, not the SKM. You use the LDAP server to

configure your policies and store the passwords. LDAP administrators cannot change their passwords

using the SKM. The configurable password settings, password history, and password expiration features

on the SKM do not apply to LDAP administrators.

IMPORTANT:

Resetting forgotten passwords may be possible on your LDAP server. This can be both a benefit and a

security risk. If all of your administrator passwords are forgotten, you may be able to use your LDAP

server to reset an LDAP administrator password. Otherwise, it will be impossible to log into the device.

However, this ability could also be used to hijack an LDAP administrator account.

When an LDAP administrator logs in to the CLI or the Management Console, the SKM connects to the

LDAP server to authenticate the username and password. If the authentication succeeds, the administrator

will be logged in to the appliance.

LDAP administrative server

In order to create an LDAP administrator, you must first configure the LDAP Administrator Server settings.

These settings define an external LDAP server containing the list of users that can be designated as

LDAP administrators. When creating an LDAP administrator on the SKM, you will choose the LDAP

administrator from this list of users.
Configuration of the LDAP Administrator Server and the first LDAP administrator must be performed by a

local administrator. Thereafter, you can use the LDAP administrator.
If you are using LDAP administrators, we recommend that you enable SSL in the LDAP Administrator

Server settings. This ensures that the connection between the SKM and the LDAP server is secure. If you

do not use SSL, then it is possible that the LDAP administrator passwords will travel in the clear during

authentication, depending on the LDAP server’s configuration (such as if the server is set to use “simple”

authentication).

Secure Key Manager

203