Entrust PKI Connector Limitations

Connector Guides › Connectors Guide › Connecting to Endpoints › Entrust PKI Connector › Entrust PKI Installation › Entrust PKI Connector Limitations

Entrust PKI Connector Limitations

For this release, the following limitations should be considered when using the Entrust PKI Connector:

Configuration of the Entrust System (setting certificate types, Entrust user roles and templates, and so forth) should be done using the Entrust native tools. The CA Identity Manager Entrust PKI account template or Add New Account operation can retrieve the range of the valid values for these attributes from the Entrust endpoint.
New accounts are created with the Use default key update policy set. For some accounts, the individual key update policy may be required to be set using the Security Manager Administration tool.
Due to restrictions in the Entrust Administration toolkit, password synchronization/propagation cannot be enabled for the PKI Accounts.
The functionality that is provided in the Entrust PKI Connector is dependent on the functionality that is supported or restricted by the Entrust Administration toolkit.
For this release, the assumption is made that for each host, a user can have only one profile defined. The reason for this limitation is based on the assumption that only one Entrust Authority Security System is associated with a given host and the user uses only one profile to access the System.
Due to limitations in the Entrust Administration toolkit, the PKI connector does not provide the functionality to operate on search bases. The Container DN control does not let you search the LDAP repository that is used internally by the Entrust Authority Security Manager system so you must type in the value of the Container DN.
Entrust Authority implements the Change DN operation in such a way that once the operation is executed, the operation enters a pending state and remains in that state until either the operation is canceled or the user logs in. During the pending state, two entries exist for the same user. If an exploration from the Provisioning Server is performed during this time, it will fail to explore the accounts container.
Due to restrictions imposed by the Entrust Administration toolkit and implementation of the Provisioning Server, only the user's common name will be used for correlation purposes (to correlate existing Entrust accounts with global users).
An attempt to create a PKI account by synchronizing a suspended global user with a PKI account template will fail to create the account. This operation only works for active global users.
PKI accounts cannot be activated or deactivated by performing a direct operation on the account object. These operations can only be performed by propagating global user status to the account.
Only global users with CA Identity Manager administrative privileges, as well as PKI administrative privileges, are allowed to modify properties of managed PKI endpoint objects.
Hardware security devices are not supported.

Email CA Technologies about this topic