Configuring CA Auth ID PKI Settings

This page instructs you in the configuration of the CA Strong Authentication CA Auth ID PKI credential profile and authentication policy.
aa82test
This page instructs you in the configuration of the CA Strong Authentication CA Auth ID PKI credential profile and authentication policy.
2
Ensure that you are logged in as a Global Administrator (GA) to perform all the tasks in this section.
Configure the CA Auth ID PKI Credential Profile
You can use a CA Auth ID PKI profile to define the following attributes:
  • Key strength
    : The size (in bits) of the key to be used in the CA Auth ID PKI Cryptographic Camouflage algorithm
  • Validity period
    : The period for which a CA Auth ID PKI credential is valid.
  • Password strength
    : The effectiveness of a password, determined by its length, and the number of alphabetic, numerals, and special characters in it.
By configuring a CA Auth ID PKI profile and assigning it to one or more organizations, you can control the characteristics of CA Auth ID PKIs that are issued to users of those organizations.
Follow these steps:
  1. Click the 
    Services and Server Configurations 
    tab on the main menu.
  2. Verify that the CA Strong Authentication tab in the submenu is active.
  3. Under the CA Auth ID section, click the Issuance link to display the CA Auth ID Profiles page.
  4. Edit the fields in the Profile Configurations section, as required:
    • Profile Configurations:
    • Create
      To create a new profile:
      • Select the Create option.
      • Specify the Configuration Name of the new profile in the field that appears.
    • Update
      To update an existing profile, select the profile that you want to update from the Select Configuration list.
    • Copy Configuration
      Enable this option if you want to create the profile by copying the configurations from an existing profile.
      Note: 
      You can also copy from configurations that belong to other organizations that you have scope on.
    • Available Configurations
      Select the profile from which the configurations are copied.
    • Key Length (in Bits)
      Specify the size of the key (in bits) to be used for encryption. The default value is 1024 bits.
    • Validity Start Date
      Specify the date from which the issued CA Auth ID PKI credential is valid.
      Validity can start from either the date of the CA Auth ID PKI creation or you can specify a date.
    • Validity End Date
      Specify the date when the CA Auth ID PKI expires.
      You can either specify the duration for the credential expiration or you can specify the date.
    • Password Strength:
    • Minimum Characters
      Specify the least number of characters that the password can contain. You can set a value from 4 through 64 characters.
    • Maximum Characters
      Specify the most number of characters that the password can contain. You can set a value from 4 through 64 characters.
    • Minimum Alphabetic Characters
      Specify the least number of alphabetic characters (a-z and A-Z) that the password can contain.
      This value must be lesser than or equal to the value specified in the Minimum Characters field.
    • Minimum Numeric Characters
      Specify the least number of numeric characters (0 through 9) that the password can contain.
    • Minimum Special Characters
      Specify the least number of special characters that the password can contain. By default, all the special characters excluding ASCII (0-31) characters are allowed.
  5. Expand the 
    Advanced Configurations
     section.
  6. In the 
    Additional Attributes
     section, specify any extra information (unsigned attributes) that you pass for the CA Auth ID PKI credential in the 
    Name
    -
    Value
     pair format.
    For example: To lock the CA Auth ID PKI to a specific device, such as an end-user system, then use this section to send this extra information as listed:
    • devlock_required
      Value: yes
    • devlock_type
      Value: hd
    See CA Auth ID PKI Client Reference for more information about what extra information you can specify here.
    If you want to specify more attributes, click 
    Add More
     to display extra fields, one at a time.
  7. In the
     Custom Attributes
     section, specify any extra information in the 
    Name
    -
    Value
     pair format. For example, the organization information that plug-ins can use.
  8. Set the following values in the 
    User Validations
     section:
    • Select the 
      User Active
       option if you want to verify the user status for the following operations involving the current credential:
      • Create credential
      • Re-issue credential
      • Reset credential
      • Reset validity of the credential
    • Select the 
      User Attribute
       option if you want to verify whether the user attribute matches certain values. You can set the value for the following user attributes:
      • Date when the user was created
      • Date when the user details were modified
      • Email address
      • First name
      • Middle name
      • Last name
      • User status
      • Telephone number
      • Unique user identifier
    The User attribute check feature is available
    only
    if you are performing configurations at the organization-level.
  9. In the 
    Multiple Credential Options
     section, enter the description to identify the purpose for which the CA Auth ID PKI is used in the 
    Usage Type 
    field. For example: A user can have a temporary credential to perform a remote login to the network. The usage type for this credential can be 
    temporary
    .
  10. The 
    History Validation
     section enables you to prevent users from reusing old CA Auth ID PKI passwords. You can select any of the following options:
    • Last <N> Passwords
      : Select this option to force the current CA Auth ID PKI password to be different from the last 
      <n>
       passwords.
    • Password Created in Last
      : Select this option to force the current CA Auth ID PKI password to be different from the passwords that are used in the specified duration.
  11. Click 
    Save
     to create or update the CA Auth ID PKI profile.
  12. Refresh 
    all
     deployed CA Strong Authentication instances.
Configure the CA Auth ID PKI Authentication Policy
You can use a CA Auth ID PKI policy to specify the following attributes of CA Auth ID PKI-based authentication:
  • User status:
     The status of the user, which can be active or inactive.
    If the user status check is enabled, then the authentication for users in inactive state results in failure.
  • Lockout criteria:
     The number of failed attempts after which the user credentials are locked out.
  • Unlocking criteria:
     The number of hours after which a locked CA Auth ID PKI credential can be used to log in again. This feature can drastically reduce the number of requests for resetting the credential.
  • Using expired CA Auth ID PKI:
     The number of days a user is allowed to authenticate successfully with their expired CA Auth ID PKI credential.
  • Expiry warning settings:
     The number of days before a warning about an impending CA Auth ID PKI credential expiration is sent to the calling application.
Exercise caution while using these options.
Follow these steps::
  1. Click the Services and Server Configurations tab on the main menu.
  2. Verify that the CA Strong Authentication tab in the submenu is active.
  3. Under the ArcotID section, click the Authentication link to display the CA Auth ID Authentication Policy page.
  4. Edit the fields in the Policy Configuration section, as required.
    • Policy Configurations:
    • Create
      To create a new policy:
      • Select the Create option.
      • Specify the Configuration Name of the new policy in the field that appears.
    • Update
      To update an existing policy, select the policy from the Select Configuration list that appears.
    • Copy Configuration
      Enable this option if you want to create the policy by copying the configurations from an existing policy.
      Note: 
      You can also copy from configurations that belong to other organizations that you have scope on.
    • Available Configurations
      Select the policy from which the configurations are copied.
    • Lockout Credential After
      Specify the number of failed attempts after which the user credential is locked.
    • Check User Status Before Authentication
      Select this option if you want to verify whether the user status is active, before authenticating them.
  5. Expand the 
    Advanced Configurations
     section by clicking the 
    [+]
     sign.
  6. Edit the fields in the section, as required.
    • Advanced Configurations:
    • Issue Warning
      Specify the number of days before a warning about an impending CA Auth ID PKI credential expiration is sent to the calling application.
    • Allow Successful Authentication
      Specify the number of days for which users can use an expired CA Auth ID PKI credential to log in successfully.
    • Enable Automatic Credential Unlock
      Select this option to allow a locked credential to be automatically unlocked after the time you specify in the Unlock After field.
      This field is valid only if you specify the corresponding value in the Lockout Credential After field.
    • Unlock After
      Specify the number of hours after which a locked credential can be used again for authentication.
    • Challenge Validity (in Seconds)
      Specify the duration for which the CA Auth ID PKI challenge has to be valid.
    • Multiple Credential Options:
    • Usage Type for Verification
      To authenticate users with the particular CA Auth ID PKI, enter the name of its usage type in this field.
      If you do not specify the usage type, then the default CA Auth ID PKI authentication policy is used.
  7. Click Save.
  8. Refresh 
    all
     deployed CA Strong Authentication instances.