Domain Key and Master Keys

CA Strong Authentication Web Services Guide › Managing AuthMinder Configurations › Creating Configurations › Preparing the Request Message › Domain Key and Master Keys

Domain Key and Master Keys

Keys are used to protect the shared secret that is used to generate and authenticate credentials, which include ArcotID PKI, OATH OTP, ArcotID OTP-OATH, and ArcotID OTP-EMV. The key used to create and manage the ArcotID PKI is called Domain Key and the keys used to create and manage other credentials are called Master Keys.

When the user tries to authenticate using their credential, AuthMinder first checks whether the key that was used to protect the credential is valid. If the key is valid, then the user will be authenticated on providing the correct credential. Else, the user authentication fails.

By default, a key configuration is created when the AuthMinder Server is started for the first time. You can use this default configuration or create your own configuration using the keyConfigs element. You can create multiple key configurations, but only the configuration that is assigned to the credential type is used for creating credentials and authenticating those configurations. The other active configurations are used for authentication only.

The keyConfigs element is used to create the key configurations. The following table lists the key management-specific elements of this message:

Element	Mandatory	Description
name	No	Name for the configuration.
status	No	Indicates the status of the configuration.
label	No	The label that will be used to store the Domain Key.
keyStatus	No	Indicates the status of the key. Following are the supported values: 1: The key is active. The configurations created using this key can be used for both authentication and issuance operations. 2: The key is inactive. The configurations created using this key might have expired. In this case, you can extend the validity and continue to use the credentials. 3: The key is retired. The configurations created using this key are not valid anymore, and the credentials associated with this configuration will expire.
keyInHSM	No	Indicates whether you want to store the key in the Hardware Security Module (HSM).
validity/ validityBegin and validityEnd	No	While creating a key, you can set a period for which the key will be valid. When the key expires, the credentials issued with that key also expires. The validityBegin and validityEnd elements enable you to set the validity period by using the following elements: year The year when the validity period begins or ends. month The month when the validity period begins or ends. day The day on which the validity period begins or ends hour The hour at which the validity period begins or ends. minute The minute at which the validity period begins or ends. second The second at which the validity period begins or ends. dateType The start date or end date of the validity period. The following are the supported date types: 1 Uses the current date of AuthMinder Server to set the validity or disable period. This is not applicable for validityEnd. 2 Indicates that the credential will be valid forever and will not expire. This is not applicable for validityBegin. 3 Uses the absolute date that is specified by your application to set the validity or disable period. 4 Uses a relative date corresponding to the start date. For example, if the relative date is one month, then the end date would be one month after the start date.