Configuring CA Auth ID PKI Settings
This page instructs you in the configuration of the CA Strong Authentication CA Auth ID PKI credential profile and authentication policy.
aa82test
This page instructs you in the configuration of the CA Strong Authentication CA Auth ID PKI credential profile and authentication policy.
2
Ensure that you are logged in as a Global Administrator (GA) to perform all the tasks in this section.
Configure the CA Auth ID PKI Credential Profile
You can use a CA Auth ID PKI profile to define the following attributes:
- Key strength: The size (in bits) of the key to be used in the CA Auth ID PKI Cryptographic Camouflage algorithm
- Validity period: The period for which a CA Auth ID PKI credential is valid.
- Password strength: The effectiveness of a password, determined by its length, and the number of alphabetic, numerals, and special characters in it.
By configuring a CA Auth ID PKI profile and assigning it to one or more organizations, you can control the characteristics of CA Auth ID PKIs that are issued to users of those organizations.
Follow these steps:
- Click theServices and Server Configurationstab on the main menu.
- Verify that the CA Strong Authentication tab in the submenu is active.
- Under the CA Auth ID section, click the Issuance link to display the CA Auth ID Profiles page.
- Edit the fields in the Profile Configurations section, as required:
- Profile Configurations:
- CreateTo create a new profile:
- Select the Create option.
- Specify the Configuration Name of the new profile in the field that appears.
- UpdateTo update an existing profile, select the profile that you want to update from the Select Configuration list.
- Copy ConfigurationEnable this option if you want to create the profile by copying the configurations from an existing profile.Note:You can also copy from configurations that belong to other organizations that you have scope on.
- Available ConfigurationsSelect the profile from which the configurations are copied.
- Key Length (in Bits)Specify the size of the key (in bits) to be used for encryption. The default value is 1024 bits.
- Validity Start DateSpecify the date from which the issued CA Auth ID PKI credential is valid.Validity can start from either the date of the CA Auth ID PKI creation or you can specify a date.
- Validity End DateSpecify the date when the CA Auth ID PKI expires.You can either specify the duration for the credential expiration or you can specify the date.
- Password Strength:
- Minimum CharactersSpecify the least number of characters that the password can contain. You can set a value from 4 through 64 characters.
- Maximum CharactersSpecify the most number of characters that the password can contain. You can set a value from 4 through 64 characters.
- Minimum Alphabetic CharactersSpecify the least number of alphabetic characters (a-z and A-Z) that the password can contain.This value must be lesser than or equal to the value specified in the Minimum Characters field.
- Minimum Numeric CharactersSpecify the least number of numeric characters (0 through 9) that the password can contain.
- Minimum Special CharactersSpecify the least number of special characters that the password can contain. By default, all the special characters excluding ASCII (0-31) characters are allowed.
- Expand theAdvanced Configurationssection.
- In theAdditional Attributessection, specify any extra information (unsigned attributes) that you pass for the CA Auth ID PKI credential in theName-Valuepair format.For example: To lock the CA Auth ID PKI to a specific device, such as an end-user system, then use this section to send this extra information as listed:
- devlock_requiredValue: yes
- devlock_typeValue: hd
See CA Auth ID PKI Client Reference for more information about what extra information you can specify here.If you want to specify more attributes, clickAdd Moreto display extra fields, one at a time. - In theCustom Attributessection, specify any extra information in theName-Valuepair format. For example, the organization information that plug-ins can use.
- Set the following values in theUser Validationssection:
- Select theUser Activeoption if you want to verify the user status for the following operations involving the current credential:
- Create credential
- Re-issue credential
- Reset credential
- Reset validity of the credential
- Select theUser Attributeoption if you want to verify whether the user attribute matches certain values. You can set the value for the following user attributes:
- Date when the user was created
- Date when the user details were modified
- Email address
- First name
- Middle name
- Last name
- User status
- Telephone number
- Unique user identifier
The User attribute check feature is availableonlyif you are performing configurations at the organization-level. - In theMultiple Credential Optionssection, enter the description to identify the purpose for which the CA Auth ID PKI is used in theUsage Typefield. For example: A user can have a temporary credential to perform a remote login to the network. The usage type for this credential can betemporary.
- TheHistory Validationsection enables you to prevent users from reusing old CA Auth ID PKI passwords. You can select any of the following options:
- Last <N> Passwords: Select this option to force the current CA Auth ID PKI password to be different from the last<n>passwords.
- Password Created in Last: Select this option to force the current CA Auth ID PKI password to be different from the passwords that are used in the specified duration.
- ClickSaveto create or update the CA Auth ID PKI profile.
- Refreshalldeployed CA Strong Authentication instances.
Configure the CA Auth ID PKI Authentication Policy
You can use a CA Auth ID PKI policy to specify the following attributes of CA Auth ID PKI-based authentication:
- User status:The status of the user, which can be active or inactive.If the user status check is enabled, then the authentication for users in inactive state results in failure.
- Lockout criteria:The number of failed attempts after which the user credentials are locked out.
- Unlocking criteria:The number of hours after which a locked CA Auth ID PKI credential can be used to log in again. This feature can drastically reduce the number of requests for resetting the credential.
- Using expired CA Auth ID PKI:The number of days a user is allowed to authenticate successfully with their expired CA Auth ID PKI credential.
- Expiry warning settings:The number of days before a warning about an impending CA Auth ID PKI credential expiration is sent to the calling application.
Exercise caution while using these options.
Follow these steps::
- Click the Services and Server Configurations tab on the main menu.
- Verify that the CA Strong Authentication tab in the submenu is active.
- Under the ArcotID section, click the Authentication link to display the CA Auth ID Authentication Policy page.
- Edit the fields in the Policy Configuration section, as required.
- Policy Configurations:
- CreateTo create a new policy:
- Select the Create option.
- Specify the Configuration Name of the new policy in the field that appears.
- UpdateTo update an existing policy, select the policy from the Select Configuration list that appears.
- Copy ConfigurationEnable this option if you want to create the policy by copying the configurations from an existing policy.Note:You can also copy from configurations that belong to other organizations that you have scope on.
- Available ConfigurationsSelect the policy from which the configurations are copied.
- Lockout Credential AfterSpecify the number of failed attempts after which the user credential is locked.
- Check User Status Before AuthenticationSelect this option if you want to verify whether the user status is active, before authenticating them.
- Expand theAdvanced Configurationssection by clicking the[+]sign.
- Edit the fields in the section, as required.
- Advanced Configurations:
- Issue WarningSpecify the number of days before a warning about an impending CA Auth ID PKI credential expiration is sent to the calling application.
- Allow Successful AuthenticationSpecify the number of days for which users can use an expired CA Auth ID PKI credential to log in successfully.
- Enable Automatic Credential UnlockSelect this option to allow a locked credential to be automatically unlocked after the time you specify in the Unlock After field.This field is valid only if you specify the corresponding value in the Lockout Credential After field.
- Unlock AfterSpecify the number of hours after which a locked credential can be used again for authentication.
- Challenge Validity (in Seconds)Specify the duration for which the CA Auth ID PKI challenge has to be valid.
- Multiple Credential Options:
- Usage Type for VerificationTo authenticate users with the particular CA Auth ID PKI, enter the name of its usage type in this field.If you do not specify the usage type, then the default CA Auth ID PKI authentication policy is used.
- Click Save.
- Refreshalldeployed CA Strong Authentication instances.