Administration → Security Administration → Authentication Realms and Users → Creating PKI Certificate Authentication Realms
If you are using a public key infrastructure (PKI) to create and manage digital certificates for login security, you can configure Deployment Automation to use your organization's PKI certificates for user authentication. When this authentication is configured properly, user authentication happens automatically based on a PKI certificate installed in the user's web browser.
Multiple PKI Certificate authentication realms can be set up to support multiple CA certificates.
When you create a PKI Certificate authentication realm in Deployment Automation, you must provide information about your PKI Certificate installation as described in the following table.
For additional configuration requirements, see PKI Certificate Authentication Configuration.
Field | Description |
---|---|
Authorization Realm | Select Internal Security; PKI Certificate authentication realm always uses Internal Security for authorization |
CA Certificate File | Specify the
path, including the file, where you have stored the issuer's certificate
information. For example:
D:\auth\ca.crt |
Username Attribute | Select either Subject or Alternative Subject and then select from the available attributes. This attribute should map to the value in your certificate that your certificate implementation uses for username. See PKI Certificate Parsing. |
Email Attribute | Select either Subject or Alternative Subject and then select from the available attributes. This attribute should map to the value in your certificate that your certificate implementation uses for email ID. See PKI Certificate Parsing. |
Full Name Attribute | Select either Subject or Alternative Subject and then select from the available attributes. This attribute should map to the value in your certificate that your certificate implementation uses for full name. See PKI Certificate Parsing. |
Verify Revocation | Select this if you want to check to see if the user certificate has been revoked since it was last authenticated through the PKI certificate. |
Revocation Strategy | If
Verify Revocation is selected, select
the revocation strategy you want to use. Options are as follows:
|
Revocation Source Type | If
Verify Revocation is selected, select
the revocation source type you want to use. Options are as follows:
|
OCSP Server URL | If
Revocation Source Type is set to
External or
Both and you want to use an Online Certificate Service
Provider (OCSP) to verify certificate revocation, enter the URL that points to
the service. For example:
http://ServerName:9999 Note: The
Deployment Automation
server and OCSP server must use the same time and time zone. Otherwise,
depending on your selection for
Revocation Strategy, the following
will occur:
|
CRL Distribution Point | If
Revocation Source Type is set to
External or
Both and you want to point to a certificate revocation
list file, specify the URL that points to your file. For example:
http://ServerName:8080/crl.file |
Use Revocation Cache | If
Verify Revocation is selected, you can
select this option to cache the results from the last revocation verification
to avoid performance degradation for each login to the server. The following
are cached for the number of hours specified in the
Revocation Cache Expiration Period.
Both caches are cleared when the authentication realm is updated. |
Revocation Cache Expiration Period | If Use Revocation Cache is selected, specify the time period in hours after which to refresh the cache. The default is 24 hours. |
Copyright © 2011–2017 Serena Software, Inc. All rights reserved.