beautypg.com

Multiple credentials overview, Operations requiring multiple authentication – HP Secure Key Manager User Manual

Page 211

background image

NOTE:

Changes made to this section (with the exception of the Password Expiration feature) apply to passwords

created after the changes are saved. For example, if all administrator passwords are 8 characters long,

and you change the minimum password length to 12 characters, the administrators do not have to

immediately change their passwords. Rather, the next time your administrators change their passwords,

they must comply with the new rules.

Multiple Credentials overview

If your configuration of the SKM includes multiple administrators, you can stipulate that some

administrative and key management operations require authorization from more than one administrator.

The multiple credentials feature provides an additional layer of security by protecting your high-level

functions.
You can predetermine the number of administrators required to confirm certain operations, let

administrators give their credentials to one another for a set period of time, and enable multiple

credentials functionality within a clustered environment.

Operations requiring multiple authentication

When the feature is enabled, the following operations require multiple authentication:

Disable Multiple Authorization

Create/Edit/Delete/Import Keys

Edit a key’s owner, delete, and export properties

Add/Edit/Delete key group permissions

Create/Edit/Delete users

Create/Edit/Delete groups

Add/Remove users from a group

Create/Edit/Delete authorization policies

Modify LDAP server settings

Create/Edit/Delete administrators

Restore backups

Rollback system

Any request for these operations, from either the Management Console or the CLI, results in a request for

additional administrator accounts and passwords. The operation only continues when those credentials

are supplied. Otherwise, an error message appears.

Granting credentials

Administrators can grant their credentials to another administrator for a specific period of time. This

allows one administrator to execute several operations without having to enter multiple credentials for

each request. The granting administrator can specify:

The grantee

The length of the grant

The permitted operations

Credentials are granted for a particular administrator account, not a session. This lets an administrator

grant credentials from a different computer.

Secure Key Manager

211

See also other documents in the category HP Storage: